Sign-up

ID

VAR-200705-0287


CVE

CVE-2007-2590


TITLE

Nokia Intellisync Mobile Suite Vulnerabilities that collect important information

Trust: 0.8

sources: JVNDB: JVNDB-2007-003824

DESCRIPTION

Nokia Intellisync Mobile Suite 6.4.31.2, 6.6.0.107, and 6.6.2.2, possibly involving Novell Groupwise Mobile Server and Nokia Intellisync Wireless Email Express, allows remote attackers to obtain user names and other sensitive information via a direct request to (1) usrmgr/userList.asp or (2) usrmgr/userStatusList.asp. Intellisync Mobile Suite is prone to a information disclosure vulnerability. ---------------------------------------------------------------------- Try a new way to discover vulnerabilities that ALREADY EXIST in your IT infrastructure. Join the FREE BETA test of the Network Software Inspector (NSI)! http://secunia.com/network_software_inspector/ The NSI enables you to INSPECT, DISCOVER, and DOCUMENT vulnerabilities in more than 4,000 different Windows applications. ---------------------------------------------------------------------- TITLE: Nokia Intellisync Mobile Suite Multiple Vulnerabilities SECUNIA ADVISORY ID: SA25212 VERIFY ADVISORY: http://secunia.com/advisories/25212/ CRITICAL: Moderately critical IMPACT: Cross Site Scripting, Exposure of system information, Exposure of sensitive information, DoS WHERE: >From remote SOFTWARE: Intellisync Mobile Suite http://secunia.com/product/3450/ DESCRIPTION: Johannes Greil has reported some vulnerabilities in Nokia's Intellisync Mobile Suite, which can be exploited by malicious people to gain knowledge of sensitive information, conduct cross-site scripting attacks, manipulate certain data, or cause a DoS (Denial of Service). 1) Missing authentication checks within certain ASP scripts (e.g. userList.asp, userStatusList.asp) can be exploited to modify or gain knowledge of certain user details, or to disable user accounts. 2) Certain input passed to de/pda/dev_logon.asp, usrmgr/registerAccount.asp, and de/create_account.asp is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. 3) An error within the bundled Apache Tomcat server can be exploited to disclose directory listings and script source codes. The vulnerabilities are reported in versions 6.4.31.2, 6.6.0.107, and 6.6.2.2 and is reported to partially affect Nokia Intellisync Wireless Email Express. Other versions may also be affected. SOLUTION: Upgrade to GMS 2. PROVIDED AND/OR DISCOVERED BY: Johannes Greil, SEC Consult ORIGINAL ADVISORY: http://www.sec-consult.com/289.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 2.07

sources: NVD: CVE-2007-2590 // JVNDB: JVNDB-2007-003824 // BID: 86193 // VULHUB: VHN-25952 // PACKETSTORM: 56572

AFFECTED PRODUCTS

vendor:nokiamodel:intellisync mobile suitescope:eqversion:6.6.0.107

Trust: 2.7

vendor:nokiamodel:intellisync mobile suitescope:eqversion:6.4.31.2

Trust: 2.7

vendor:nokiamodel:intellisync mobile suitescope:eqversion:6.6.2.2

Trust: 1.9

vendor:nokiamodel:groupwise mobile serverscope: - version: -

Trust: 1.4

vendor:nokiamodel:intellisync wireless email expressscope: - version: -

Trust: 1.4

vendor:nokiamodel:groupwise mobile serverscope:eqversion:*

Trust: 1.0

vendor:nokiamodel:intellisync wireless email expressscope:eqversion:*

Trust: 1.0

vendor:nokiamodel:intellisync mobile suitescope:eqversion:and 6.6.2.2

Trust: 0.8

sources: BID: 86193 // JVNDB: JVNDB-2007-003824 // CNNVD: CNNVD-200705-205 // NVD: CVE-2007-2590

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2007-2590
value: MEDIUM

Trust: 1.0

NVD: CVE-2007-2590
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-200705-205
value: MEDIUM

Trust: 0.6

VULHUB: VHN-25952
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2007-2590
severity: MEDIUM
baseScore: 6.4
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-25952
severity: MEDIUM
baseScore: 6.4
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-25952 // JVNDB: JVNDB-2007-003824 // CNNVD: CNNVD-200705-205 // NVD: CVE-2007-2590

PROBLEMTYPE DATA

problemtype:CWE-200

Trust: 1.9

sources: VULHUB: VHN-25952 // JVNDB: JVNDB-2007-003824 // NVD: CVE-2007-2590

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200705-205

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-200705-205

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2007-003824

PATCH
title:Top pageurl:http://www.nokia.com/global/
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2007-003824

EXTERNAL IDS
db:NVDid:CVE-2007-2590
Trust: 2.8
db:SREASONid:2689
Trust: 2.0
db:SECUNIAid:25212
Trust: 1.8
db:VUPENid:ADV-2007-1727
Trust: 1.7
db:OSVDBid:34514
Trust: 1.1
db:JVNDBid:JVNDB-2007-003824
Trust: 0.8
db:BUGTRAQid:20070509 SEC CONSULT SA-20070509-0 :: MULTIPLE VULNERABILITES IN NOKIA INTELLISYNC MOBILE SUITE & WIRELESS EMAIL EXPRESS
Trust: 0.6
db:CNNVDid:CNNVD-200705-205
Trust: 0.6
db:BIDid:86193
Trust: 0.4
db:VULHUBid:VHN-25952
Trust: 0.1
db:PACKETSTORMid:56572
Trust: 0.1
sources:
            
            
            VULHUB: VHN-25952 // 
            
            
            
            BID: 86193 // 
            
            
            
            JVNDB: JVNDB-2007-003824 // 
            
            
            
            PACKETSTORM: 56572 // 
            
            
            
            CNNVD: CNNVD-200705-205 // 
            
            
            
            NVD: CVE-2007-2590

REFERENCES
url:http://www.sec-consult.com/289.html
Trust: 2.1
url:http://securityreason.com/securityalert/2689
Trust: 2.0
url:http://secunia.com/advisories/25212
Trust: 1.7
url:http://www.securityfocus.com/archive/1/468048/100/0/threaded
Trust: 1.1
url:http://osvdb.org/34514
Trust: 1.1
url:http://www.vupen.com/english/advisories/2007/1727
Trust: 1.1
url:http://www.securityfocus.com/archive/1/archive/1/468048/100/0/threaded
Trust: 0.9
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2007-2590
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2007-2590
Trust: 0.8
url:http://www.frsirt.com/english/advisories/2007/1727
Trust: 0.6
url:http://secunia.com/secunia_security_advisories/
Trust: 0.1
url:http://secunia.com/network_software_inspector/
Trust: 0.1
url:http://secunia.com/advisories/25212/
Trust: 0.1
url:http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
Trust: 0.1
url:http://secunia.com/product/3450/
Trust: 0.1
url:http://secunia.com/about_secunia_advisories/
Trust: 0.1
sources:
            
            
            VULHUB: VHN-25952 // 
            
            
            
            BID: 86193 // 
            
            
            
            JVNDB: JVNDB-2007-003824 // 
            
            
            
            PACKETSTORM: 56572 // 
            
            
            
            CNNVD: CNNVD-200705-205 // 
            
            
            
            NVD: CVE-2007-2590

CREDITS
Unknown
Trust: 0.3
sources:
            
            
            BID: 86193

SOURCES
db:VULHUBid:VHN-25952
db:BIDid:86193
db:JVNDBid:JVNDB-2007-003824
db:PACKETSTORMid:56572
db:CNNVDid:CNNVD-200705-205
db:NVDid:CVE-2007-2590

LAST UPDATE DATE
2025-04-10T20:14:09.358000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-25952date:2018-10-16T00:00:00
db:BIDid:86193date:2007-05-11T00:00:00
db:JVNDBid:JVNDB-2007-003824date:2012-09-25T00:00:00
db:CNNVDid:CNNVD-200705-205date:2007-05-11T00:00:00
db:NVDid:CVE-2007-2590date:2025-04-09T00:30:58.490

SOURCES RELEASE DATE
db:VULHUBid:VHN-25952date:2007-05-11T00:00:00
db:BIDid:86193date:2007-05-11T00:00:00
db:JVNDBid:JVNDB-2007-003824date:2012-09-25T00:00:00
db:PACKETSTORMid:56572date:2007-05-10T00:32:46
db:CNNVDid:CNNVD-200705-205date:2007-05-11T00:00:00
db:NVDid:CVE-2007-2590date:2007-05-11T04:20:00