Vulnerability CVE-2013-3508

Vulnerability CVE-2013-3508

Published: 2013-05-08

Description:

html/System-Files.php in the System File Overview feature in the NeDi component in GroundWork Monitor Enterprise 6.7.0 allows remote authenticated users to execute arbitrary commands via vectors involving file editing.

See advisories in our WLB2 database:

	Topic	Author	Date
High	GroundWork Monitor Enterprise 6.7.0 SQL Injection / Command Execution	Johannes Greil	08.03.2013

Type:

CWE-94

(Improper Control of Generation of Code ('Code Injection'))

CVSS2 => (AV:N/AC:L/Au:S/C:P/I:P/A:P)

CVSS Base Score	Impact Subscore	Exploitability Subscore
6.5/10	6.4/10	8/10

Exploit range	Attack complexity	Authentication
Remote	Low	Single time
Confidentiality impact	Integrity impact	Availability impact
Partial	Partial	Partial

Affected software
GWOS -> Groundwork monitor

References:

http://www.kb.cert.org/vuls/id/345260

https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20130308-1_GroundWork_Monitoring_Multiple_high_risk_vulnerabilities_part2_wo_poc_v10.txt

https://kb.groundworkopensource.com/display/SUPPORT/SA6.7.0-1+Some+web+components+allow+bypass+of+role+access+controls

Vulnerability CVE-2013-3508

html/System-Files.php in the System File Overview feature in the NeDi component in GroundWork Monitor Enterprise 6.7.0 allows remote authenticated users to execute arbitrary commands via vectors involving file editing.

See advisories in our WLB2 database:

High

GroundWork Monitor Enterprise 6.7.0 SQL Injection / Command Execution

CWE-94

CVSS2 => (AV:N/AC:L/Au:S/C:P/I:P/A:P)

6.5/10

6.4/10

8/10

Remote

Low

Single time

Partial

Partial

Partial

Affected software

References: