9.3
CVE-2008-1965
- EPSS 10.68%
- Veröffentlicht 25.04.2008 19:05:00
- Zuletzt bearbeitet 16.06.2026 22:52:50
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
Argument injection vulnerability in the cai: URI handler in rcplauncher in IBM Lotus Expeditor Client for Desktop 6.1.1 and 6.1.2, as used by Lotus Symphony and possibly other products, allows remote attackers to execute arbitrary code by injecting a -launcher option via a cai: URI, as demonstrated by a reference to a UNC share pathname.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Ibm ≫ Lotus Expeditor Client Version6.1.1 Editiondesktop
Ibm ≫ Lotus Expeditor Client Version6.1.2 Editiondesktop
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 10.68% | 0.952 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 9.3 | 8.6 | 10 |
AV:N/AC:M/Au:N/C:C/I:C/A:C
|
CWE-94 Improper Control of Generation of Code ('Code Injection')
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
http://archives.neohapsis.com/archives/fulldisclosure/2008-04/0640.html
http://secunia.com/advisories/29958
http://thomas.pollet.googlepages.com/lotusexpeditorurihandlervulnerability
http://www-1.ibm.com/support/docview.wss?uid=swg21303813
http://www.securityfocus.com/archive/1/491343/100/0/threaded
http://www.securityfocus.com/bid/28926
http://www.securitytracker.com/id?1019951
http://www.securitytracker.com/id?1019952
http://www.vupen.com/english/advisories/2008/1394/references
https://exchange.xforce.ibmcloud.com/vulnerabilities/41990