|
[Japanese]
|
JVNDB-2017-009884
|
QND Advance/Standard vulnerable to directory traversal
|
|
QND Advance/Standard provided by QualitySoft Corporation contains a directory traversal vulnerability.
QND Advance/Standard provided by QualitySoft Corporation contains a directory traversal vulnerability (CWE-22) in an administrative server due to the issue in processing input from an agent program.
An administrative server does not require authentication in the communication between a server and an agent program either, therefore an arbitrary request from an arbitrary device with access to an administrative server can be sent and processed.
Muneaki Nishimura of of Recruit Technologies Co.,Ltd. RED TEAM reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated with the developer.
|
|
CVSS V3 Severity:
Base Metrics 9.1 (Critical) [IPA Score]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
CVSS V2 Severity:
Base Metrics 9.4 (High) [IPA Score]
- Access Vector: Network
- Access Complexity: Low
- Authentication: None
- Confidentiality Impact: Complete
- Integrity Impact: Complete
- Availability Impact: None
|
|
|
QualitySoft Corporation
- QND Advance/Standard all versions
|
|
|
If an administrative server processes a specially crafted command, an arbitrary file in the administrative server may be obtained or altered.
|
|
[Update the Software]
Apply the latest update according to the information provided by the developer.
|
|
QualitySoft Corporation
|
|
- Path Traversal(CWE-22) [IPA Evaluation]
|
|
- CVE-2017-10861
|
|
- JVN : JVNVU#94198685
- National Vulnerability Database (NVD) : CVE-2017-10861
|
|
- [2017/11/28]
Web page was published
- [2018/03/14]
References : Content was added
|
