Details of VAR-201312-0633

ID

VAR-201312-0633

TITLE

Ecava IntegraXor Project Directory Information Disclosure Vulnerability

Trust: 0.7

sources: ZDI: ZDI-13-277

DESCRIPTION

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Ecava IntegraXor. Authentication is not required to exploit this vulnerability.The specific flaw exists within the storing of credentials in cleartext. The issue lies in the ability to bypass file access restrictions. This can be used along with the automatic creation of backup files, which are created whenever changes are made to a project. By abusing this flaw an attacker can disclose credentials and possibly leverage this situation to achieve remote code execution.

Trust: 0.7

sources: ZDI: ZDI-13-277

AFFECTED PRODUCTS

vendor:

ecava

model:

integraxor

scope:

version:

Trust: 0.7

sources: ZDI: ZDI-13-277

CVSS

SEVERITY

CVSSV2

CVSSV3

ZDI:	ZDI-13-277
value:	HIGH
Trust: 0.7

ZDI:	ZDI-13-277
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.7

sources: ZDI: ZDI-13-277

EXTERNAL IDS

db:	ZDI_CAN	id:	ZDI-CAN-1988	Trust: 0.7
db:	ZDI	id:	ZDI-13-277	Trust: 0.7

sources: ZDI: ZDI-13-277

CREDITS

Alphazorx aka technically.screwed

Trust: 0.7

sources: ZDI: ZDI-13-277

SOURCES

db:

ZDI

id:

ZDI-13-277

LAST UPDATE DATE

2022-05-17T02:09:05.466000+00:00

SOURCES UPDATE DATE

db:

ZDI

id:

ZDI-13-277

date:

2013-12-15T00:00:00

SOURCES RELEASE DATE

db:

ZDI

id:

ZDI-13-277

date:

2013-12-15T00:00:00