vendor:
vSpace Pro
by:
Javier Bernardo
7.5
CVSS
HIGH
Directory Traversal
22
CWE
Product Name: vSpace Pro
Affected Version From: v10
Affected Version To: v11
Patch Exists: NO
Related CWE: CVE-2018-10201
CPE: ncomputing:vspace_pro
Tags: cve2018,ncomputing,lfi,packetstorm,cve
CVSS Metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Nuclei References:
https://packetstormsecurity.com/files/147303/Ncomputing-vSPace-Pro-10-11-Directory-Traversal.html, https://nvd.nist.gov/vuln/detail/CVE-2018-10201, http://www.kwell.net/kwell_blog/?p=5199, https://www.kwell.net/kwell/index.php?option=com_newsfeeds&view=newsfeed&id=15&Itemid=173&lang=es, https://support.ncomputing.com/portal/kb/articles/ncomputing-health-monitor-server-vulnerability-patch
Nuclei Metadata: {'max-request': 4, 'vendor': 'ncomputing', 'product': 'vspace_pro'}
Platforms Tested:
2018
Ncomputing vSpace Pro v10 and v11 – Directory Traversal Vulnerability
It is possible to read arbitrary files outside the root directory of the web server. This vulnerability could be exploited remotely by a crafted URL without credentials, with …/ or … or …./ or …. as a directory-traversal pattern to TCP port 8667. An attacker can make use of this vulnerability to step out of the root directory and access other parts of the file system. This might give the attacker the ability to view restricted files, which could provide the attacker with more information required to further compromise the system.
Mitigation:
Apply the vendor's security patch or upgrade to a newer version of the software.
