Advisory Details

April 22nd, 2015

Novell Zenworks FileViewer Information Disclosure Vulnerability

ZDI-15-150
ZDI-CAN-2577

CVE ID CVE-2015-0783
CVSS SCORE 3.5, (AV:N/AC:M/Au:S/C:P/I:N/A:N)
AFFECTED VENDORS Novell
AFFECTED PRODUCTS Zenworks
VULNERABILITY DETAILS


This vulnerability allows attackers to obtain sensitive information on vulnerable installations of Novell Zenworks. User interaction is not required to exploit this vulnerability.

The specific flaw exists within the FileViewer class. The issue lies in the failure to sanitize the "filename" variable. The attacker can leverage this to read files remotely.

ADDITIONAL DETAILS Novell has issued an update to correct this vulnerability. More details can be found at:
https://www.novell.com/support/kb/doc.php?id=7016431
DISCLOSURE TIMELINE
  • 2015-01-15 - Vulnerability reported to vendor
  • 2015-04-22 - Coordinated public release of advisory
CREDIT Anonymous
BACK TO ADVISORIES