CVE-2004-0204

Name of the Vulnerable Software and Affected Versions Business Objects Crystal Reports versions 9 and 10 Crystal Enterprise versions 9 and 10

Description A directory traversal issue exists in the web viewers for the mentioned products, allowing remote attackers to read and delete arbitrary files. This is achieved by using ".." sequences in the dynamicimag argument to the "crystalimagehandler.aspx" API endpoint.

Recommendations For Business Objects Crystal Reports versions 9 and 10, and Crystal Enterprise versions 9 and 10, consider restricting access to the "crystalimagehandler.aspx" API endpoint until a patch is available. As a temporary workaround, avoid using the dynamicimag argument in the "crystalimagehandler.aspx" API endpoint to minimize the risk of exploitation.