| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <15E9FA21-6298-49A5-A53F-C5D9AF503B43@ddifrontline.com> Date: Thu, 9 May 2013 12:31:30 -0500 From: ddivulnalert <ddivulnalert@...frontline.com> To: <full-disclosure@...ts.grok.org.uk> Subject: DDIVRT-2013-53 Actuate 'ActuateJavaComponent' Multiple Vulnerabilities Title ----- DDIVRT-2013-53 Actuate 'ActuateJavaComponent' Multiple Vulnerabilities Severity -------- High Date Discovered --------------- March 19, 2013 Discovered By ------------- Digital Defense, Inc. Vulnerability Research Team Credit: Dennis Lavrinenko, Bobby Lockett, and r@...$ 1. Actuate 'ActuateJavaComponent' Arbitrary File Retrieval Vulnerability Description ------------------------- Actuate 10 contains a vulnerability within the 'ActuateJavaComponent'. This component allows unauthenticated attackers to retrieve arbitrary system files located outside of the web root. Solution Description -------------------- A solution for this security issue is not available at this time. End-users can mitigate this flaw by limiting access to affected systems through the use of access controls. 2. Actuate 'ActuateJavaComponent' Arbitrary Directory Browsing Vulnerability Vulnerability Description ------------------------- Actuate 10 contains an arbitrary directory browsing vulnerability within the 'ActuateJavaComponent'. This vulnerability allows the contents of any drive or directory to be browsed within the web application's interface. Solution Description -------------------- A solution for this security issue is not available at this time. End-users can mitigate this flaw by limiting access to affected systems through the use of access controls. Tested Systems / Software ------------------------- Actuate 10 Service Pack 1 Fix 4 Vendor Contact -------------- Vendor Name: Actuate Corporation Vendor Website: http://www.actuate.com/home/ Current Advisory -------------- http://www.ddifrontline.com/company/SecuritySpotlight/2013/05/u2545 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists