CVE-2010-0154

Name of the Vulnerable Software and Affected Versions IBM Proventia Network Mail Security System (PNMSS) appliance with firmware prior to 2.5

Description The issue allows remote authenticated users to read arbitrary files via a .. (dot dot) in the l parameter in the sla/index.php file of the Local Management Interface (LMI) on the IBM Proventia Network Mail Security System (PNMSS) appliance. This is related to an "Insecure Direct Object Reference" issue.

Recommendations For IBM Proventia Network Mail Security System (PNMSS) appliance with firmware prior to 2.5, update the firmware to version 2.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the sla/index.php file in the LMI to minimize the risk of exploitation. Avoid using the l parameter in the affected API endpoint until the issue is resolved.