OpenWGA Developer Studio 3.1.0 OpenDialog Arbitrary Code Execution

2016.04.14
Risk: High
Local: Yes
Remote: No
CVE: N/A
CWE: N/A

OpenWGA Developer Studio 3.1.0 OpenDialog Arbitrary Code Execution Vendor: Innovation Gate GmbH Product web page: https://www.openwga.com Affected version: 3.1.0.r00147 Summary: The OpenWGA Developer Studio packages an OpenWGA CMS server together with all necessary development and deployment tools to create, develop, deploy, share and maintain your OpenWGA CMS applications. Desc: The application suffers from an arbitrary code execution vulnerability when using the File OpenDialog box enabling the attacker to execute any binary he or she chooses including elevation of privileges. Tested on: Microsoft Windows 7 Professional SP1 (EN) Microsoft Windows 7 Ultimate SP1 (EN) Java/1.8.0.77-b03 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2016-5317 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5317.php 23.02.2016 -- From the menu: File > Open > "c:windowssystem32calc.exe"

References:

http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5317.php


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top