PT-2009-3322 · Plunet · Plunet Businessmanager

Published

2009-02-23

Updated

2017-08-17

CVE-2009-0700

CVSS v2.0

4.0

Medium

Vector

AV:N/AC:L/Au:S/C:P/I:N/A:N

Name of the Vulnerable Software and Affected Versions Plunet BusinessManager versions 4.1 and earlier

Description The issue allows remote authenticated users to bypass access restrictions. This can lead to reading sensitive Customer or Order data via a modified Pfad parameter to "pagesUTF8/Sys DirAnzeige.jsp" or listing sensitive Jobs via a direct request to "pagesUTF8/auftrag job.jsp".

Recommendations For Plunet BusinessManager versions 4.1 and earlier, restrict access to the "pagesUTF8/Sys DirAnzeige.jsp" and "pagesUTF8/auftrag job.jsp" pages to minimize the risk of exploitation. Avoid using the modified Pfad parameter in the affected API endpoint until the issue is resolved.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-264

Related Identifiers

CVE-2009-0700

Affected Products

Plunet Businessmanager

PT-2009-3322 · Plunet · Plunet Businessmanager

CVE-2009-0700

Weakness Enumeration

Related Identifiers

Affected Products

References · 8