CVE-2014-0358

Name of the Vulnerable Software and Affected Versions Xangati XSR versions prior to 11 Xangati XNR versions prior to 7

Description The issue allows remote attackers to read arbitrary files via a .. (dot dot) in various parameters. This can be achieved through several API endpoints, including: "getUpgradeStatus" action to "servlet/MGConfigData" using the file parameter, "download" action to "servlet/MGConfigData" using the download parameter, "port svc" action to "servlet/MGConfigData" using the download parameter, "getfile" action to "servlet/Installer" using the file parameter, and "servlet/MGConfigData" using the binfile parameter.

Recommendations For Xangati XSR versions prior to 11, update to version 11 or later. For Xangati XNR versions prior to 7, update to version 7 or later. As a temporary workaround, consider restricting access to the affected servlets and parameters until a patch is available.