PT-2011-4006 · Novell · Novell Zenworks Configuration Management+1
Andrea Micalizzi
+1
·
Published
2011-11-07
·
Updated
2012-07-27
·
CVE-2011-2657
CVSS v2.0
6.8
Medium
| Vector | AV:N/AC:M/Au:N/C:P/I:P/A:P |
Name of the Vulnerable Software and Affected Versions
Novell ZENworks Configuration Management versions 10.2 through 11 SP1
Description
The issue allows remote attackers to execute arbitrary commands via a pathname in the first argument to the
LaunchProcess function in the LaunchHelp.HelpLauncher.1 ActiveX control in LaunchHelp.dll. This enables attackers to potentially execute malicious commands on affected systems.Recommendations
For versions 10.2 through 11 SP1, consider disabling the
LaunchProcess function in the LaunchHelp.HelpLauncher.1 ActiveX control until a patch is available. Restrict access to the LaunchHelp.dll to minimize the risk of exploitation. Avoid using the LaunchHelp ActiveX control in the affected Novell ZENworks Configuration Management versions until the issue is resolved.Exploit
Fix
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Launchhelp.Dll
Novell Zenworks Configuration Management