CVE-2019-11029

Name of the Vulnerable Software and Affected Versions Mirasys VMS versions prior to 7.6.1 Mirasys VMS versions 8.x prior to 8.3.2

Description The issue concerns the mishandling of the Download() method of AutoUpdateService in SMServer.exe, leading to Directory Traversal. An attacker could use .. with this method to iterate over lists of interesting system files and download them without previous authentication. This includes SAM-database backups, Web.config files, etc., and might cause a serious impact on confidentiality.

Recommendations For versions prior to 7.6.1, update to version 7.6.1 or later. For versions 8.x prior to 8.3.2, update to version 8.3.2 or later.