CVE-2019-13063

Exploit

EPSS 15.88%
Veröffentlicht 23.09.2019 15:15:10
Zuletzt bearbeitet 21.11.2024 04:24:07
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

Within Sahi Pro 8.0.0, an attacker can send a specially crafted URL to include any victim files on the system via the script parameter on the Script_view page. This will result in file disclosure (i.e., being able to pull any file from the remote victim application). This can be used to steal and obtain sensitive config and other files. This can result in complete compromise of the application. The script parameter is vulnerable to directory traversal and both local and remote file inclusion.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Sahipro ≫ Sahi Pro Version8.0.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	15.88%	0.945

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:P/I:N/A:N

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

https://sahipro.com/downloads-archive/

Vendor Advisory

https://www.exploit-db.com/exploits/47062

Third Party Advisory

Exploit

VDB Entry

https://nvd.nist.gov/vuln/detail/CVE-2019-13063

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2019-13063

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2019-13063

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2019-13063