CVE-2014-9609

Name of the Vulnerable Software and Affected Versions: Netsweeper versions 3.1.10 and earlier, 4.0.x through 4.0.8, 4.1.x through 4.1.1

Description: The issue allows remote attackers to list directory contents via a .. (dot dot) in the log parameter in a stats action. This is due to a directory traversal vulnerability in the webadmin/reporter/view server log.php file.

Recommendations: For versions 3.1.10 and earlier, update to version 3.1.10 or later. For versions 4.0.x through 4.0.8, update to version 4.0.9 or later. For versions 4.1.x through 4.1.1, update to version 4.1.2 or later. As a temporary workaround, consider restricting access to the vulnerable webadmin/reporter/view server log.php file until a patch is available. Avoid using the log parameter in the affected API endpoint until the issue is resolved.