CVE-2015-6459

Name of the Vulnerable Software and Affected Versions GE Digital Energy MDS PulseNET and MDS PulseNET Enterprise versions prior to 3.1.5

Description The issue is related to an absolute path traversal vulnerability in the download feature of the FileDownloadServlet. This vulnerability allows remote attackers to read or delete arbitrary files via a full pathname. The vulnerability exists due to incorrect restriction of the directory path name with limited access. Exploitation of the vulnerability may allow a remote attacker to read or delete arbitrary files using the full directory path.

Recommendations For versions prior to 3.1.5, update to version 3.1.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the FileDownloadServlet to minimize the risk of exploitation.