CVE-2004-0204
HIGH severity · CVSS 7.5
7.5CVSS HIGH
Summary
Directory traversal vulnerability in the web viewers for Business Objects Crystal Reports 9 and 10, and Crystal Enterprise 9 or 10, as used in Visual Studio .NET 2003 and Outlook 2003 with Business Contact Manager, Microsoft Business Solutions CRM 1.2, and other products, allows remote attackers to read and delete arbitrary files via ".." sequences in the dynamicimag argument to crystalimagehandler.aspx.
Impact & exploitability
Attack vectorNetwork
Attack complexityLow
Privileges required—
User interaction—
Confidentiality impact—
Integrity impact—
Availability impact—
Exploit probability (EPSS)73%
AV:N/AC:L/Au:N/C:P/I:P/A:P
Affected products we track (1)
Recommendation
Apply the vendor fix promptly. Open any affected product above for its exact safe version.
Official patch: http://www.securityfocus.com/bid/10260 ↗
Additional information
- NVD record
- http://www.securityfocus.com/bid/10260Patch
- http://marc.info/?l=bugtraq&m=108360413811017&w=2
- http://marc.info/?l=bugtraq&m=108671836127360&w=2
- http://secunia.com/advisories/11800
- http://support.businessobjects.com/fix/hot/critical/bulletins/security_bulletin_june04.asp
- http://www.osvdb.org/6748
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2004/ms04-017
- https://exchange.xforce.ibmcloud.com/vulnerabilities/16044