[Forgot Password]
Login  Register Subscribe

30479

 
 

423868

 
 

248678

 
 

909

 
 

195426

 
 

282

 
Paid content will be excluded from the download.


Download | Alert*
CVE
view JSON

CVE-2013-5648Date: (C)2013-08-30   (M)2023-12-22


Absolute path traversal vulnerability in the handleStartDataFile function in DigiDocSAXParser.c in libdigidoc 3.6.0.0, as used in ID-software before 3.7.2 and other products, allows remote attackers to overwrite arbitrary files via a filename beginning with / (slash) or (backslash) in a DDOC file.

CVSS Score and Metrics +CVSS Score and Metrics -

CVSS V2 Severity:
CVSS Score : 6.8
Exploit Score: 8.6
Impact Score: 6.4
 
CVSS V2 Metrics:
Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE
Confidentiality: PARTIAL
Integrity: PARTIAL
Availability: PARTIAL
  
Reference:
http://svnweb.mageia.org/packages/updates/3/libdigidoc/current/SOURCES/libdigidoc-3.6.0.0-security-fix-DataFile-name-tag.patch?revision=472660&view=markup
http://www.id.ee/?lang=en&id=34283#3_7_2
https://bugs.mageia.org/show_bug.cgi?id=11100
https://bugzilla.redhat.com/show_bug.cgi?id=1002299

CPE    3
cpe:/a:id:libdigidoc:3.6.0.0
cpe:/a:id:id-software:3.7
cpe:/a:id:id-software:3.7.1
CWE    1
CWE-22

© SecPod Technologies