PT-2013-5948 · Wellintech · Supergrid.Ocx+1

Blake

Published

2013-10-25

Updated

2013-10-28

CVE-2013-6127

CVSS v2.0

5.8

Medium

Vector

AV:N/AC:M/Au:N/C:N/I:P/A:P

Name of the Vulnerable Software and Affected Versions WellinTech KingView versions prior to 6.53 SuperGrid.ocx versions prior to 65.30.30000.10002

Description The issue concerns the SUPERGRIDLib.SuperGrid ActiveX control, which does not properly restrict ReplaceDBFile method calls. This allows remote attackers to create or overwrite arbitrary files and subsequently execute arbitrary programs via the two pathname arguments. A directory traversal attack can be used to exploit this issue.

Recommendations For WellinTech KingView versions prior to 6.53, update to version 6.53 or later. For SuperGrid.ocx versions prior to 65.30.30000.10002, update to version 65.30.30000.10002 or later. As a temporary workaround, consider restricting access to the ReplaceDBFile method until a patch is available.

Exploit

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

CVE-2013-6127

Affected Products

Kingview

Supergrid.Ocx

PT-2013-5948 · Wellintech · Supergrid.Ocx+1

CVE-2013-6127

Weakness Enumeration

Related Identifiers

Affected Products

References · 4