Main Vulnerability Database SB2018021329

SB2018021329 - Remote code execution in HPE Performance Center

Published: February 13, 2018 Updated: January 26, 2023

Security Bulletin ID SB2018021329

CSH Severity

High

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Improper security restrictions (CVE-ID: CVE-2017-11357)

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists in Progress Telerik User Interface (UI) for ASP.NET AJAX due to use of user-supplied input by RadAsyncUpload without modification or validation. A remote attacker can upload arbitrary files and execute arbitrary code with elevated privileges.

Successful exploitation of the vulnerability may result in system compromise.

Remediation

Install update from vendor's website.

References

https://softwaresupport.softwaregrp.com/document/-/facetsearch/document/KM03091103