PT-2007-4938 · Kddi · Ezfactory Kddi Download Cgi

Published

2007-07-11

Updated

2017-07-29

CVE-2007-3692

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:C/I:N/A:N

Name of the Vulnerable Software and Affected Versions EZFactory KDDI Download CGI version 1.x

Description The issue allows remote attackers to read and download arbitrary files due to a directory traversal vulnerability in the download.cgi component. This is achieved by including a .. (dot dot) in the name parameter.

Recommendations For EZFactory KDDI Download CGI version 1.x, consider restricting access to the download.cgi component until a patch is available. As a temporary workaround, avoid using the name parameter in the download.cgi API endpoint to minimize the risk of exploitation.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2007-3692

Affected Products

Ezfactory Kddi Download Cgi

PT-2007-4938 · Kddi · Ezfactory Kddi Download Cgi

CVE-2007-3692

Related Identifiers

Affected Products

References · 7