Vulnerability CVE-2014-6194


Published: 2015-02-16   Modified: 2017-09-07

Description:
Directory traversal vulnerability in an unspecified web form in IBM Maximo Asset Management 7.1 through 7.1.1.13 and 7.5.0 before 7.5.0.6 IFIX007, Maximo Asset Management 7.5.0 through 7.5.0.3 and 7.5.1 through 7.5.1.2 for SmartCloud Control Desk, and Maximo Asset Management 7.1 through 7.1.1.13 and 7.2 for Tivoli IT Asset Management for IT and certain other products allows remote authenticated users to read arbitrary files via a .. (dot dot) in a pathname.

Vendor: IBM
Product: Smartcloud control desk 
Version:
7.5.1.1
7.5.1.0
7.5.0.5
7.5.0.3
7.5.0.2
7.5.0.1
Product: Maximo asset management 
Version:
7.5.0.6
7.5.0.5
7.5.0.4
7.5.0.3
7.5.0.2
7.5.0.10
7.5.0.1
7.5.0.0
7.1.2
7.1.1.9
7.1.1.8
7.1.1.7
7.1.1.6
7.1.1.5
7.1.1.2
7.1.1.13
7.1.1.12
7.1.1.11
7.1.1.10
7.1.1.1
7.1.1
7.1
Product: Maximo asset management essentials 
Version: 7.5.0.0; 7.1;
Product: Maximo for government 
Version: 7.5.0.0; 7.1;
Product: Maximo for life sciences 
Version: 7.5.0.0; 7.1;
Product: Maximo for nuclear power 
Version: 7.5.0.0; 7.1;
Product: Maximo for oil and gas 
Version: 7.5.0.0; 7.1;
Product: Maximo for transportation 
Version: 7.5.0.0; 7.1;
Product: Maximo for utilities 
Version: 7.5.0.0; 7.1;
Product: Change and configuration management database 
Version: 7.2; 7.1;
Product: Tivoli asset management for it 
Version: 7.2; 7.1;
Product: Tivoli service request manager 
Version: 7.2; 7.1;

CVSS2 => (AV:N/AC:L/Au:S/C:P/I:N/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4/10
2.9/10
8/10
Exploit range
Attack complexity
Authentication
Remote
Low
Single time
Confidentiality impact
Integrity impact
Availability impact
Partial
None
None

 References:
http://www-01.ibm.com/support/docview.wss?uid=swg21694035
https://exchange.xforce.ibmcloud.com/vulnerabilities/98605

Related CVE
CVE-2017-1650
IBM DOORS Next Generation (DNG/RRC) 6.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure wit...
CVE-2017-1607
IBM DOORS Next Generation (DNG/RRC) 6.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure wit...
CVE-2017-16892
IBM DOORS Next Generation (DNG/RRC) 6.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure wit...
CVE-2017-16880
IBM DOORS Next Generation (DNG/RRC) 6.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure wit...
CVE-2017-1710
A vulnerability in the Service Assistant GUI in IBM Storwize V7000 (2076) 8.1 could allow a remote attacker to perform a privilege escalation. IBM X-Force ID: 134531.
CVE-2017-16780
IBM DOORS Next Generation (DNG/RRC) 4.0, 5.0, and 6.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials ...
CVE-2017-1554
IBM Infosphere BigInsights 4.2.0 and 4.2.5 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's clic...
CVE-2017-1552
IBM Infosphere BigInsights 4.2.0 and 4.2.5 is vulnerable to link injection. By persuading a victim to click on a specially-crafted URL link, a remote attacker could exploit this vulnerability to conduct various attacks against the vulnerable system, ...

Copyright 2017, cxsecurity.com

 

Back to Top