General Electric's MDS PulseNET < 3.1.5 Multiple Vulnerabilities
Critical Nessus Network Monitor Plugin ID 9052
The remote host is running an outdated version of General Electric's MDS PulseNET application.
The version of General Electric's MDS PulseNET application is prior to 3.1.5 and is affected by multiple vulnerabilities : - The application installs with default, hardcoded credentials for a support account. This allows remote attackers to trivially gain privileged access to the application. (OSVDB 127531) - A flaw exists that allows traversing outside of a restricted path. The issue is due to the 'FileDownloadServlet' not properly sanitizing user input, specifically path traversal style attacks (e.g. '../') supplied via filenames. With a specially crafted request, a remote attacker can read or delete arbitrary files. (OSVDB 127532)