Information disclosure in IPConfigure Orchid

Published: 2018-07-17 12:24:23
Severity Low
Patch available YES
Number of vulnerabilities 1
CVE ID CVE-2018-10956
CVSSv3 4.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CWE ID CWE-22
Exploitation vector Network
Public exploit N/A
Vulnerable software IPConfigure Orchid
Vulnerable software versions IPConfigure Orchid 2.0.5
Vendor URL IPConfigure, Inc.

Security Advisory

1) Path traversal

Description

The vulnerability allows a remote attacker to obtain potentially sensitive information.

The vulnerability exists due to path traversal. A remote attacker can send specially crafted GET requests, conduct directory traversal attack and read arbitrary files outside of the applications web directory.

Remediation

Update to version 2.0.6.

External links

https://packetstormsecurity.com/files/148274/IPConfigure-Orchid-VMS-2.0.5-Directory-Traversal-Inform...

Back to List