SB2015052903 - Multiple vulnerabilities in NetCharts Server

Description

This security bulletin contains information about 3 vulnerabilities.

1) Arbitrary file upload (CVE-ID: CVE-2014-8516)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

Unrestricted file upload vulnerability in Visual Mining NetCharts Server allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via unspecified vectors.

2) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2015-4032)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

projectContents.jsp in the Developer tools in Visual Mining NetCharts Server allows remote attackers to rename arbitrary files, and consequently execute them, via unspecified vectors.

3) Path traversal (CVE-ID: CVE-2015-4031)

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences in saveFile.jsp in the development installation in Visual Mining NetChart. A remote authenticated attacker can send a specially crafted HTTP request and remote attackers to write to arbitrary files via unspecified vectors.

Remediation

Cybersecurity Help is not aware of any official remediation provided by the vendor.

References

• http://www.securityfocus.com/bid/70895
• http://www.zerodayinitiative.com/advisories/ZDI-14-372/
• https://exchange.xforce.ibmcloud.com/vulnerabilities/98475
• https://packetstormsecurity.com/files/129023
• http://www.securityfocus.com/bid/74788
• http://www.zerodayinitiative.com/advisories/ZDI-15-238/
• http://www.securityfocus.com/bid/74792
• http://www.zerodayinitiative.com/advisories/ZDI-15-237/