9.8

CVE-2014-0780

Warnung
Exploit
Directory traversal vulnerability in NTWebServer in InduSoft Web Studio 7.1 before SP2 Patch 4 allows remote attackers to read administrative passwords in APP files, and consequently execute arbitrary code, via unspecified web requests.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
IndusoftWeb Studio Version7.1 Update-
IndusoftWeb Studio Version7.1 Updatesp1
IndusoftWeb Studio Version7.1 Updatesp2

15.04.2022: CISA Known Exploited Vulnerabilities (KEV) Catalog

InduSoft Web Studio NTWebServer Directory Traversal Vulnerability

Schwachstelle

InduSoft Web Studio NTWebServer contains a directory traversal vulnerability that allows remote attackers to read administrative passwords in APP files, allowing for remote code execution.

Beschreibung

Apply updates per vendor instructions.

Erforderliche Maßnahmen
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 89.26% 0.996
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 7.5 10 6.4
AV:N/AC:L/Au:N/C:P/I:P/A:P
134c704f-9b21-4f2e-91b3-4a467353bcc0 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ics-cert@hq.dhs.gov 7.5 10 6.4
AV:N/AC:L/Au:N/C:P/I:P/A:P
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

http://ics-cert.us-cert.gov/advisories/ICSA-14-107-02
Patch
Third Party Advisory
US Government Resource
http://www.securityfocus.com/bid/67056
Third Party Advisory
Broken Link
VDB Entry
https://www.exploit-db.com/exploits/42699/
Third Party Advisory
Exploit
VDB Entry