ID CVE-2010-1913
Summary The default configuration of pluginlicense.ini for the SdcWebSecureBase interface in tgctlcm.dll in Consona Live Assistance, Dynamic Agent, and Subscriber Assistance, when downloaded from a server operated by Telefonica or possibly other companies, contains an incorrect DNS whitelist that includes the DNS hostnames of home computers of many persons, which allows remote attackers to bypass intended restrictions on ActiveX execution by hosting an ActiveX control on an applicable home web server.
References
Vulnerable Configurations
  • cpe:2.3:a:consona:consona_dynamic_agent:-:-:enterprise:*:*:*:*:*
    cpe:2.3:a:consona:consona_dynamic_agent:-:-:enterprise:*:*:*:*:*
  • cpe:2.3:a:consona:consona_dynamic_agent:-:-:marketing:*:*:*:*:*
    cpe:2.3:a:consona:consona_dynamic_agent:-:-:marketing:*:*:*:*:*
  • cpe:2.3:a:consona:consona_dynamic_agent:-:-:support:*:*:*:*:*
    cpe:2.3:a:consona:consona_dynamic_agent:-:-:support:*:*:*:*:*
  • cpe:2.3:a:consona:consona_live_assistance:*:*:*:*:*:*:*:*
    cpe:2.3:a:consona:consona_live_assistance:*:*:*:*:*:*:*:*
  • cpe:2.3:a:consona:consona_subscriber_assistance:*:*:*:*:*:*:*:*
    cpe:2.3:a:consona:consona_subscriber_assistance:*:*:*:*:*:*:*:*
CVSS
Base: 9.3 (as of 10-10-2018 - 19:58)
Impact:
Exploitability:
CWE CWE-16
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
cvss-vector via4 AV:N/AC:M/Au:N/C:C/I:C/A:C
refmap via4
bugtraq 20100507 [Wintercore Research] Consona Products - Multiple vulnerabilities
cert-vn VU#602801
misc
Last major update 10-10-2018 - 19:58
Published 12-05-2010 - 11:46
Last modified 10-10-2018 - 19:58
Back to Top