CVE-2013-6720

Name of the Vulnerable Software and Affected Versions IBM Tealeaf CX versions 7.x, 8.x through 8.6, 8.7 through 8.7 before FP2, 8.8 through 8.8 before FP2

Description The issue allows remote authenticated users to bypass intended access restrictions via a .. (dot dot) in the log parameter of the download.php file in the Passive Capture Application (PCA) web console. This can be exploited by sending a crafted request for a customer-support file, potentially accessing sensitive log files.

Recommendations For IBM Tealeaf CX versions 7.x, update to a version that includes the fix for this issue. For IBM Tealeaf CX versions 8.x through 8.6, update to a version that includes the fix for this issue. For IBM Tealeaf CX versions 8.7 before FP2, apply FP2 or a later fix pack to resolve the issue. For IBM Tealeaf CX versions 8.8 before FP2, apply FP2 or a later fix pack to resolve the issue. As a temporary workaround, consider restricting access to the download.php file in the PCA web console to minimize the risk of exploitation.