Detections
Analytics

Bitdefender GravityZone < 5.1.11.432 Information Disclosure

medium Nessus Plugin ID 76794

Language:

Synopsis

An application hosted on the remote web server has a directory traversal vulnerability.

Description

The Bitdefender GravityZone install hosted on the remote web server has a directory traversal vulnerability. Input to the 'id' parameter of the '/webservice/CORE/downloadFullKitEpc/a/1' script is not properly sanitized.

A remote attacker could exploit this issue to download arbitrary files, subject to the privileges under which the web server operates.

Note that this version is reportedly also affected by a missing authentication vulnerability as well as a hard-coded credentials issue; however, Nessus did not test for these additional issues.

Solution

Upgrade to 5.1.11.432 or later.

See Also

http://www.nessus.org/u?fc7fda14

Plugin Details

Severity: Medium

ID: 76794

File Name: bitdefender_gravityzone_5_1_11_432.nasl

Version: 1.8

Type: remote

Family: CGI abuses

Published: 7/25/2014

Updated: 1/19/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2014-5350

Vulnerability Information

CPE: cpe:/a:bitdefender:gravityzone

Required KB Items: installed_sw/Bitdefender GravityZone Web Interface

Exploit Available: true

Exploit Ease: Exploits are available

Exploited by Nessus: true

Patch Publication Date: 7/4/2014

Vulnerability Publication Date: 7/16/2014

Reference Information

CVE: CVE-2014-5350

BID: 68669