PT-2013-2856 · Novell+1 · Novell Zenworks Configuration Management+1

Andrea Micalizzi

Published

2013-03-22

Updated

2013-04-02

CVE-2013-1079

CVSS v2.0

6.8

Medium

Vector

AV:N/AC:M/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions Novell ZENworks Configuration Management (ZCM) versions 10.3 through 11.2

Description A directory traversal issue exists in the ISCreateObject method of an ActiveX control in AdminStudio, allowing remote attackers to execute arbitrary local DLL files via a crafted web page. This can be achieved by calling the Initialize method.

Recommendations For versions 10.3 through 11.2, consider disabling the ISCreateObject method in the ISProxy.dll ActiveX control as a temporary workaround until a patch is available. Restrict access to the Initialize method to minimize the risk of exploitation.

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

CVE-2013-1079

ZDI-13-048

Affected Products

Adminstudio

Novell Zenworks Configuration Management

PT-2013-2856 · Novell+1 · Novell Zenworks Configuration Management+1

CVE-2013-1079

Weakness Enumeration

Related Identifiers

Affected Products

References · 4