CVE-2017-16610 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of

CVE-2017-16610

Summary

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Netgain Enterprise Manager. Authentication is not required to exploit this vulnerability. The specific flaw exists within upload_save_do.jsp. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code under the context of the current user. Was ZDI-CAN-4751.

References

Vulnerable Configurations

cpe:2.3:a:netgain-systems:enterprise_manager:7.2.699:*:*:*:*:*:*:*
cpe:2.3:a:netgain-systems:enterprise_manager:7.2.699:*:*:*:*:*:*:*

CVSS

Base:	7.5 (as of 09-10-2019 - 23:25)
Impact:
Exploitability:

CWE

CWE-668

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	PARTIAL

cvss-vector via4

AV:N/AC:L/Au:N/C:P/I:P/A:P

refmap via4

misc

Last major update

09-10-2019 - 23:25

Published

23-01-2018 - 01:29

Last modified

09-10-2019 - 23:25