Participate Enterprise Multiple Access Validation Vulnerabilities

vendor:

Enterprise

by:

SecurityFocus

7.5

CVSS

HIGH

Multiple Access Validation Vulnerabilities

284

CWE

Product Name: Enterprise

Affected Version From: All

Affected Version To: All

Patch Exists: N/A

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2004

Participate Enterprise Multiple Access Validation Vulnerabilities

An attacker can browse the directory tree and disclose sensitive information, rename arbitrary objects, and delete arbitrary objects. All versions of Participate Enterprise are considered vulnerable.

Mitigation:

Ensure that access control policies are properly configured and enforced.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/12752/info

Participate Enterprise is reported prone to multiple access validation vulnerabilities. These issues may allow remote attackers to disclose sensitive information and corrupt and delete data that can ultimately lead to a denial of service condition.

The following specific issues were identified:

An attacker can browse the directory tree and disclose sensitive information.

An attacker can rename arbitrary objects.

An attacker can delete arbitrary objects as well.

All versions of Participate Enterprise are considered vulnerable at the moment.

To browse the directory tree:
http://www.example.com/pe/repository/displaynavigator.jsp?rootFolder=101

To rename an object:
http://www.example.com/pe/repository/include/renamepopup.jsp?selectedObject=101

To delete an object:
http://www.example.com/pe/repository/displaydeletenavigator.jsp?selectedObjectsCSV=101