Open redirect vulnerability in a report-routing component in Symantec Endpoint Protection Manager (SEPM) 12.1 before RU6 MP5 allows remote authenticated users to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. A remote attacker could exploit these vulnerabilities by enticing authenticated users to click on a crafted link, performing a man-in-the-middle attack, and crafted HTTP requests. Successful exploitation could allow the attacker to hijack a user session, gain access to administrator credentials, and gain access to confidential information.