Sign-up

ID

VAR-201602-0291


CVE

CVE-2015-7675


TITLE

Ipswitch MOVEit DMZ and MOVEit Mobile Vulnerabilities that can bypass authentication

Trust: 0.8

sources: JVNDB: JVNDB-2015-006874

DESCRIPTION

The "Send as attachment" feature in Ipswitch MOVEit DMZ before 8.2 and MOVEit Mobile before 1.2.2 allow remote authenticated users to bypass authorization and read uploaded files via a valid FileID in the (1) serverFileIds parameter to mobile/sendMsg or (2) arg01 parameter to human.aspx. Ipswitch MOVEit is an automated file transfer system from Ipswitch Corporation in the United States. The system supports control, management, and visibility into all business-critical file transfer activities through a single, secure system. DMZ and Mobile are the versions

Trust: 1.71

sources: NVD: CVE-2015-7675 // JVNDB: JVNDB-2015-006874 // VULHUB: VHN-85636

AFFECTED PRODUCTS

vendor:ipswitchmodel:moveit mobilescope:lteversion:1.2.0.962

Trust: 1.0

vendor:ipswitchmodel:moveit dmzscope:lteversion:8.1

Trust: 1.0

vendor:ipswitchmodel:moveit dmzscope:ltversion:8.2

Trust: 0.8

vendor:ipswitchmodel:moveit mobilescope:ltversion:1.2.2

Trust: 0.8

vendor:ipswitchmodel:moveit mobilescope:eqversion:1.2.0.962

Trust: 0.6

vendor:ipswitchmodel:moveit dmzscope:eqversion:8.1

Trust: 0.6

sources: JVNDB: JVNDB-2015-006874 // CNNVD: CNNVD-201602-207 // NVD: CVE-2015-7675

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2015-7675
value: MEDIUM

Trust: 1.0

NVD: CVE-2015-7675
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201602-207
value: MEDIUM

Trust: 0.6

VULHUB: VHN-85636
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2015-7675
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-85636
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2015-7675
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 3.6
version: 3.0

Trust: 1.0

sources: VULHUB: VHN-85636 // JVNDB: JVNDB-2015-006874 // CNNVD: CNNVD-201602-207 // NVD: CVE-2015-7675

PROBLEMTYPE DATA

problemtype:CWE-200

Trust: 1.9

sources: VULHUB: VHN-85636 // JVNDB: JVNDB-2015-006874 // NVD: CVE-2015-7675

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201602-207

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-201602-207

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2015-006874

EXPLOIT AVAILABILITY
sources:
            
            
            VULHUB: VHN-85636

PATCH
title:MOVEit DMZ Release Notes 8.2url:http://docs.ipswitch.com/MOVEit/DMZ82/ReleaseNotes/MOVEitReleaseNotes82.pdf
Trust: 0.8
title:Ipswitch MOVEit DMZ  and MOVEit Mobile Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=60150
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2015-006874 // 
            
            
            
            CNNVD: CNNVD-201602-207

EXTERNAL IDS
db:NVDid:CVE-2015-7675
Trust: 2.5
db:PACKETSTORMid:135457
Trust: 1.7
db:JVNDBid:JVNDB-2015-006874
Trust: 0.8
db:CNNVDid:CNNVD-201602-207
Trust: 0.7
db:VULHUBid:VHN-85636
Trust: 0.1
sources:
            
            
            VULHUB: VHN-85636 // 
            
            
            
            JVNDB: JVNDB-2015-006874 // 
            
            
            
            CNNVD: CNNVD-201602-207 // 
            
            
            
            NVD: CVE-2015-7675

REFERENCES
url:https://www.profundis-labs.com/advisories/cve-2015-7675.txt
Trust: 2.5
url:http://docs.ipswitch.com/moveit/dmz82/releasenotes/moveitreleasenotes82.pdf
Trust: 1.7
url:http://seclists.org/fulldisclosure/2016/jan/95
Trust: 1.7
url:http://packetstormsecurity.com/files/135457/ipswitch-moveit-dmz-8.1-authorization-bypass.html
Trust: 1.7
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-7675
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-7675
Trust: 0.8
sources:
            
            
            VULHUB: VHN-85636 // 
            
            
            
            JVNDB: JVNDB-2015-006874 // 
            
            
            
            CNNVD: CNNVD-201602-207 // 
            
            
            
            NVD: CVE-2015-7675

SOURCES
db:VULHUBid:VHN-85636
db:JVNDBid:JVNDB-2015-006874
db:CNNVDid:CNNVD-201602-207
db:NVDid:CVE-2015-7675

LAST UPDATE DATE
2025-04-13T23:23:41.295000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-85636date:2016-02-18T00:00:00
db:JVNDBid:JVNDB-2015-006874date:2016-02-19T00:00:00
db:CNNVDid:CNNVD-201602-207date:2016-02-15T00:00:00
db:NVDid:CVE-2015-7675date:2025-04-12T10:46:40.837

SOURCES RELEASE DATE
db:VULHUBid:VHN-85636date:2016-02-10T00:00:00
db:JVNDBid:JVNDB-2015-006874date:2016-02-19T00:00:00
db:CNNVDid:CNNVD-201602-207date:2016-02-15T00:00:00
db:NVDid:CVE-2015-7675date:2016-02-10T15:59:00.100