PT-2009-4215 · Pinnacle Systems · Installhfz.Exe+2
Nine:Situations:Group
·
Published
2009-05-21
·
Updated
2018-10-10
·
CVE-2009-1743
CVSS v2.0
9.3
High
| Vector | AV:N/AC:M/Au:N/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions:
Pinnacle Studio 12 version 6.5.201.0
Description:
A directory traversal issue exists, allowing remote attackers to create and overwrite arbitrary files via a filename containing a .. (dot dot backslash) sequence in a Hollywood FX Compressed Archive (.hfz) file. This can potentially be leveraged for code execution by decompressing a file to a Startup folder.
Recommendations:
For version 6.5.201.0, consider restricting access to the InstallHFZ.exe module to minimize the risk of exploitation. As a temporary workaround, avoid using the Hollywood FX Compressed Archive (.hfz) file format until a patch is available.
Exploit
Fix
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Hollywood Fx
Installhfz.Exe
Pinnacle Studio