Vulnerability CVE-2020-15492
Published: 2020-07-23

Description:
An issue was discovered in INNEO Startup TOOLS 2017 M021 12.0.66.3784 through 2018 M040 13.0.70.3804. The sut_srv.exe web application (served on TCP port 85) includes user input into a filesystem access without any further validation. This might allow an unauthenticated attacker to read files on the server via Directory Traversal, or possibly have unspecified other impact.

See advisories in our WLB2 database:
Topic
Author
Date
High
INNEO Startup TOOLS 2018 M040 13.0.70.3804 Remote Code Execution
Patrick Hener, S...
04.08.2020

Type:

CWE-22

 (Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'))

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.5/10
6.4/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial
Affected software
Inneo -> Startup tools 

 References:
http://packetstormsecurity.com/files/158556/INNEO-Startup-TOOLS-2018-M040-13.0.70.3804-Remote-Code-Execution.html
https://www.inneo.co.uk/en/product-development/inneo-in-house-products/startup-tools.html
https://www.inneo.de/files/content/Produktentwicklung/Tools-und-Erweiterungen/Startup-TOOLS/INNEO-SA-SUT-2020-01.pdf
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2020-028.txt
https://www.syss.de/pentest-blog/2020/syss-2020-028-sicherheitsschwachstelle-in-inneo-startup-tools-2017-und-2018/
Copyright 2024, cxsecurity.com

 

Back to Top