#VU52012 Incorrect default permissions in Dream Report
Vulnerability identifier: #VU52012
Vulnerability risk: High
CVSSv3.1: 8.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-276
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Dream Report
Server applications /
SCADA systems
Vendor: Ocean Data Systems
Description
The vulnerability allows a remote attacker to escalate privileges on the system.
The vulnerability exists due to incorrect default permissions for files and folders that are set by the application in the "Syncfusion Dashboard Service". A remote attacker can use a specially crafted file and gain elevated privileges on the target system.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
Dream Report: 5 R20-2
External links
http://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1146
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
