#VU38606 Path traversal in Nitro Pro - CVE-2017-7442
Published: August 3, 2017 / Updated: August 9, 2020
Vulnerability identifier: #VU38606
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber
CVE-ID: CVE-2017-7442
CWE-ID: CWE-22
Exploitation vector: Remote access
Exploit availability:
Public exploit is available
Vulnerable software:
Nitro Pro
Nitro Pro
Software vendor:
Nitro Software, Inc.
Nitro Software, Inc.
Description
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
Nitro Pro 11.0.3.173 allows remote attackers to execute arbitrary code via saveAs and launchURL calls with directory traversal sequences.
Remediation
Install update from vendor's website.