PT-2020-16814 · Nec · Nec Esmpro Manager

Rgod

Published

2020-06-25

Updated

2021-01-26

CVE-2020-27859

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions NEC ESMPRO Manager version 6.42

Description This issue allows remote attackers to disclose sensitive information on affected installations. Authentication is not required to exploit this issue. The specific flaw exists within the GetEuaLogDownloadAction class, resulting from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this issue to disclose information in the context of SYSTEM.

Recommendations For NEC ESMPRO Manager version 6.42, consider disabling the GetEuaLogDownloadAction class until a patch is available to prevent exploitation. Restrict access to sensitive information to minimize the risk of disclosure.

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

CVE-2020-27859

ZDI-20-736

Affected Products

Nec Esmpro Manager

PT-2020-16814 · Nec · Nec Esmpro Manager

CVE-2020-27859

Weakness Enumeration

Related Identifiers

Affected Products

References · 3