{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2016-05-31T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "web/admin/data.js in the Performance Center Virtual Table Server (VTS) component in HPE LoadRunner 11.52 through patch 3, 12.00 through patch 1, 12.01 through patch 3, 12.02 through patch 2, and 12.50 through patch 3 and Performance Center 11.52 through patch 3, 12.00 through patch 1, 12.01 through patch 3, 12.20 through patch 2, and 12.50 through patch 1 do not restrict file paths sent to an unlink call, which allows remote attackers to delete arbitrary files via the path parameter to data/import_csv, aka ZDI-CAN-3555."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-11-02T12:57:01.000Z", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://h20566.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05157423"}, {"name": "90975", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/90975"}, {"name": "1036006", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1036006"}, {"tags": ["x_refsource_MISC"], "url": "https://www.tenable.com/security/research/tra-2016-17"}, {"tags": ["x_refsource_MISC"], "url": "http://www.zerodayinitiative.com/advisories/ZDI-16-364"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2016-4360", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "web/admin/data.js in the Performance Center Virtual Table Server (VTS) component in HPE LoadRunner 11.52 through patch 3, 12.00 through patch 1, 12.01 through patch 3, 12.02 through patch 2, and 12.50 through patch 3 and Performance Center 11.52 through patch 3, 12.00 through patch 1, 12.01 through patch 3, 12.20 through patch 2, and 12.50 through patch 1 do not restrict file paths sent to an unlink call, which allows remote attackers to delete arbitrary files via the path parameter to data/import_csv, aka ZDI-CAN-3555."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://h20566.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05157423", "refsource": "CONFIRM", "url": "https://h20566.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05157423"}, {"name": "90975", "refsource": "BID", "url": "http://www.securityfocus.com/bid/90975"}, {"name": "1036006", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1036006"}, {"name": "https://www.tenable.com/security/research/tra-2016-17", "refsource": "MISC", "url": "https://www.tenable.com/security/research/tra-2016-17"}, {"name": "http://www.zerodayinitiative.com/advisories/ZDI-16-364", "refsource": "MISC", "url": "http://www.zerodayinitiative.com/advisories/ZDI-16-364"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T00:25:14.506Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://h20566.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05157423"}, {"name": "90975", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/90975"}, {"name": "1036006", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id/1036006"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.tenable.com/security/research/tra-2016-17"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.zerodayinitiative.com/advisories/ZDI-16-364"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2016-4360", "datePublished": "2016-06-08T14:00:00.000Z", "dateReserved": "2016-04-29T00:00:00.000Z", "dateUpdated": "2024-08-06T00:25:14.506Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hp:loadrunner:11.52:p3:*:*:*:*:*:*", "matchCriteriaId": "EA41E4F9-3325-4665-A433-BDAA02621F13", "vulnerable": true}, {"criteria": "cpe:2.3:a:hp:loadrunner:12.00:p1:*:*:*:*:*:*", "matchCriteriaId": "58DEE82F-A703-4F0D-96D4-47E6DEC473BC", "vulnerable": true}, {"criteria": "cpe:2.3:a:hp:loadrunner:12.01:p3:*:*:*:*:*:*", "matchCriteriaId": "5B9BA232-B8DD-4EC9-991F-06E73774A156", "vulnerable": true}, {"criteria": "cpe:2.3:a:hp:loadrunner:12.02:p2:*:*:*:*:*:*", "matchCriteriaId": "F7226CD8-1528-4C5B-825D-2569D025808C", "vulnerable": true}, {"criteria": "cpe:2.3:a:hp:loadrunner:12.50:p3:*:*:*:*:*:*", "matchCriteriaId": "7772F623-E8AD-41A1-B5E2-F507FB7F413B", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hp:performance_center:11.52:p3:*:*:*:*:*:*", "matchCriteriaId": "4BACEBCB-93A4-4C8C-90DD-3D233BF9B128", "vulnerable": true}, {"criteria": "cpe:2.3:a:hp:performance_center:12.00:p1:*:*:*:*:*:*", "matchCriteriaId": "27EAC034-46D2-41A8-A3F5-7ABDCC7E9457", "vulnerable": true}, {"criteria": "cpe:2.3:a:hp:performance_center:12.01:p3:*:*:*:*:*:*", "matchCriteriaId": "B0DEA9F8-EF3D-4C7F-B6B9-F9A33341E9A5", "vulnerable": true}, {"criteria": "cpe:2.3:a:hp:performance_center:12.20:p2:*:*:*:*:*:*", "matchCriteriaId": "F7FCF452-A5B1-4CB5-BD02-785670A04E82", "vulnerable": true}, {"criteria": "cpe:2.3:a:hp:performance_center:12.50:p1:*:*:*:*:*:*", "matchCriteriaId": "235AB949-A179-48FC-BFAA-7796578E430D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "web/admin/data.js in the Performance Center Virtual Table Server (VTS) component in HPE LoadRunner 11.52 through patch 3, 12.00 through patch 1, 12.01 through patch 3, 12.02 through patch 2, and 12.50 through patch 3 and Performance Center 11.52 through patch 3, 12.00 through patch 1, 12.01 through patch 3, 12.20 through patch 2, and 12.50 through patch 1 do not restrict file paths sent to an unlink call, which allows remote attackers to delete arbitrary files via the path parameter to data/import_csv, aka ZDI-CAN-3555."}, {"lang": "es", "value": "web/admin/data.js en el componente Performance Center Virtual Table Server (VTS) en HPE LoadRunner 11.52 hasta el parche 3, 12.00 hasta el parche 1, 12.01 hasta el parche 3, 12.02 hasta el parche 2 y 12.50 hasta el parche 3 y Performance Center 11.52 hasta el parche 3, 12.00 hasta el parche 1, 12.01 hasta el parche 3, 12.20 hasta el parche 2 y 12.50 hasta el parche 1 no restringe rutas de archivo enviadas a un llamada desvinculada, lo que permite a atacantes remotos borrar archivos arbitrarios a trav\u00e9s del par\u00e1metro de ruta a data/import_csv, tambi\u00e9n conocido como ZDI-CAN-3555."}], "id": "CVE-2016-4360", "lastModified": "2025-04-12T10:46:40.837", "metrics": {"cvssMetricV2": [{"acInsufInfo": true, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.4, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2016-06-08T14:59:42.313", "references": [{"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/90975"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securitytracker.com/id/1036006"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.zerodayinitiative.com/advisories/ZDI-16-364"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://h20566.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05157423"}, {"source": "cve@mitre.org", "url": "https://www.tenable.com/security/research/tra-2016-17"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/90975"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securitytracker.com/id/1036006"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.zerodayinitiative.com/advisories/ZDI-16-364"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://h20566.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05157423"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.tenable.com/security/research/tra-2016-17"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{}