SB2020071632 - Multiple vulnerabilities in Primavera P6 Enterprise Project Portfolio Management
Published: July 16, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Improper input validation (CVE-ID: CVE-2020-14653)
The vulnerability allows a remote authenticated user to read and manipulate data.
The vulnerability exists due to improper input validation within the Web Access component in Primavera P6 Enterprise Project Portfolio Management. A remote authenticated user can exploit this vulnerability to read and manipulate data.
2) Improper input validation (CVE-ID: CVE-2020-14706)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
The vulnerability exists due to improper input validation within the Web Access component in Primavera P6 Enterprise Project Portfolio Management. A remote non-authenticated attacker can exploit this vulnerability to read and manipulate data.
3) Improper access control (CVE-ID: CVE-2018-17196)
The vulnerability allows a remote attacker to gain unauthorized access to sensitive information.
The vulnerability exists due to improper security restrictions imposed by the affected software. A remote authenticated attacker with write permission on respective topics can send a crafted Produce request that is designed to bypass transaction/idempotent access control list (ACL) validation.
4) Exposed dangerous method or function (CVE-ID: CVE-2020-10683)
The vulnerability allows a remote attacker to abuse implemented functionality.
The vulnerability exists due to dom4j allows by default external DTDs and External Entities. A remote attacker can abuse this functionality and perform XXE attack against application that uses dom4j default configuration.
Remediation
Install update from vendor's website.