PT-2013-5865 · Thomson Reuters · Thomson Reuters Velocity Analytics Vhayu Analytic Server

Eduardo Gonzalez Lainez

Published

2013-11-28

Updated

2013-11-29

CVE-2013-5912

CVSS v2.0

High

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Thomson Reuters Velocity Analytics Vhayu Analytic Server version 6.94 build 2995

Description The issue allows remote attackers to execute arbitrary code via a URL in the fileName parameter during an importFile action. This is related to the VhttpdMgr component.

Recommendations For Thomson Reuters Velocity Analytics Vhayu Analytic Server version 6.94 build 2995, avoid using the fileName parameter in the importFile action until the issue is resolved. As a temporary workaround, consider restricting access to the importFile action to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-94

Related Identifiers

CVE-2013-5912

Affected Products

Thomson Reuters Velocity Analytics Vhayu Analytic Server

PT-2013-5865 · Thomson Reuters · Thomson Reuters Velocity Analytics Vhayu Analytic Server

CVE-2013-5912

Weakness Enumeration

Related Identifiers

Affected Products

References · 3