CVE-2007-6198 - portal/server.pt in the Plumtree portal in BEA AquaLogic Interaction 5.0.2 through 5.0.4 and 6.0.1.2

CVE-2007-6198

Summary

portal/server.pt in the Plumtree portal in BEA AquaLogic Interaction 5.0.2 through 5.0.4 and 6.0.1.218452 allows wildcards in advanced searches for usernames, which allows remote attackers to enumerate valid usernames via the in_tx_fulltext parameter.

References

Vulnerable Configurations

cpe:2.3:a:bea:aqualogic_interaction:5.0.2:*:*:*:*:*:*:*
cpe:2.3:a:bea:aqualogic_interaction:5.0.2:*:*:*:*:*:*:*
cpe:2.3:a:bea:aqualogic_interaction:5.0.3:*:*:*:*:*:*:*
cpe:2.3:a:bea:aqualogic_interaction:5.0.3:*:*:*:*:*:*:*
cpe:2.3:a:bea:aqualogic_interaction:5.0.4:*:*:*:*:*:*:*
cpe:2.3:a:bea:aqualogic_interaction:5.0.4:*:*:*:*:*:*:*
cpe:2.3:a:bea:aqualogic_interaction:6.0.1.218452:*:*:*:*:*:*:*
cpe:2.3:a:bea:aqualogic_interaction:6.0.1.218452:*:*:*:*:*:*:*

CVSS

Base:	5.0 (as of 15-10-2018 - 21:50)
Impact:
Exploitability:

CWE

NVD-CWE-Other

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	NONE	NONE

cvss-vector via4

AV:N/AC:L/Au:N/C:P/I:N/A:N

refmap via4

bid	26620
bugtraq	20071201 PR06-11: BEA Plumtree portal search facility leaks usernames to unauthenticated users
misc	http://procheckup.com/Vulnerability_PR06-11.php
sectrack	1019004
secunia	27840
vupen	ADV-2007-4040

Last major update

15-10-2018 - 21:50

Published

01-12-2007 - 06:46

Last modified

15-10-2018 - 21:50