CVE-2017-9640 - OpenCVE

A Path Traversal issue was discovered in Automated Logic Corporation (ALC) ALC WebCTRL, i-Vu, SiteScan Web prior to 6.5; ALC WebCTRL, SiteScan Web 6.1 and prior; ALC WebCTRL, i-Vu 6.0 and prior; ALC WebCTRL, i-Vu, SiteScan Web 5.5 and prior; and ALC WebCTRL, i-Vu, SiteScan Web 5.2 and prior. An authenticated attacker may be able to overwrite files that are used to execute code. This vulnerability does not affect version 6.5 of the software.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:S/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Automatedlogic	I-vu Sitescan Web
Carrier	Automatedlogic Webctrl

Configuration 1 [-]

OR	cpe:2.3:a:automatedlogic:i-vu::::::::
	cpe:2.3:a:automatedlogic:i-vu::::::::
	cpe:2.3:a:automatedlogic:i-vu::::::::
	cpe:2.3:a:automatedlogic:sitescan_web::::::::
	cpe:2.3:a:automatedlogic:sitescan_web::::::::
	cpe:2.3:a:automatedlogic:sitescan_web::::::::
	cpe:2.3:a:carrier:automatedlogic_webctrl::::::::
	cpe:2.3:a:carrier:automatedlogic_webctrl::::::::
	cpe:2.3:a:carrier:automatedlogic_webctrl::::::::
	cpe:2.3:a:carrier:automatedlogic_webctrl::::::::

No data.

References

Link	Providers
http://www.securityfocus.com/bid/100452
https://ics-cert.us-cert.gov/advisories/ICSA-17-234-01
https://www.exploit-db.com/exploits/42543/

History

No history.

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2017-08-25T19:00:00

Updated: 2024-08-05T17:11:02.350Z

Reserved: 2017-06-14T00:00:00

Link: CVE-2017-9640

Vulnrichment

No data.

NVD

Status : Modified

Published: 2017-08-25T19:29:00.410

Modified: 2021-07-27T19:25:56.903

Link: CVE-2017-9640

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Automated Logic Corporation WebCTRL, i-VU, SiteScan", "vendor": "n/a", "versions": [{"status": "affected", "version": "Automated Logic Corporation WebCTRL, i-VU, SiteScan"}]}], "datePublic": "2017-08-25T00:00:00", "descriptions": [{"lang": "en", "value": "A Path Traversal issue was discovered in Automated Logic Corporation (ALC) ALC WebCTRL, i-Vu, SiteScan Web prior to 6.5; ALC WebCTRL, SiteScan Web 6.1 and prior; ALC WebCTRL, i-Vu 6.0 and prior; ALC WebCTRL, i-Vu, SiteScan Web 5.5 and prior; and ALC WebCTRL, i-Vu, SiteScan Web 5.2 and prior. An authenticated attacker may be able to overwrite files that are used to execute code. This vulnerability does not affect version 6.5 of the software."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "CWE-22", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2017-09-06T09:57:02", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"name": "100452", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/100452"}, {"name": "42543", "tags": ["exploit", "x_refsource_EXPLOIT-DB"], "url": "https://www.exploit-db.com/exploits/42543/"}, {"tags": ["x_refsource_MISC"], "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-234-01"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "ID": "CVE-2017-9640", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Automated Logic Corporation WebCTRL, i-VU, SiteScan", "version": {"version_data": [{"version_value": "Automated Logic Corporation WebCTRL, i-VU, SiteScan"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A Path Traversal issue was discovered in Automated Logic Corporation (ALC) ALC WebCTRL, i-Vu, SiteScan Web prior to 6.5; ALC WebCTRL, SiteScan Web 6.1 and prior; ALC WebCTRL, i-Vu 6.0 and prior; ALC WebCTRL, i-Vu, SiteScan Web 5.5 and prior; and ALC WebCTRL, i-Vu, SiteScan Web 5.2 and prior. An authenticated attacker may be able to overwrite files that are used to execute code. This vulnerability does not affect version 6.5 of the software."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-22"}]}]}, "references": {"reference_data": [{"name": "100452", "refsource": "BID", "url": "http://www.securityfocus.com/bid/100452"}, {"name": "42543", "refsource": "EXPLOIT-DB", "url": "https://www.exploit-db.com/exploits/42543/"}, {"name": "https://ics-cert.us-cert.gov/advisories/ICSA-17-234-01", "refsource": "MISC", "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-234-01"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T17:11:02.350Z"}, "title": "CVE Program Container", "references": [{"name": "100452", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/100452"}, {"name": "42543", "tags": ["exploit", "x_refsource_EXPLOIT-DB", "x_transferred"], "url": "https://www.exploit-db.com/exploits/42543/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-234-01"}]}]}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2017-9640", "datePublished": "2017-08-25T19:00:00", "dateReserved": "2017-06-14T00:00:00", "dateUpdated": "2024-08-05T17:11:02.350Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:automatedlogic:i-vu:*:*:*:*:*:*:*:*", "matchCriteriaId": "5948CDA4-5FE6-448B-9F64-D077F41DDF11", "versionEndIncluding": "5.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:automatedlogic:i-vu:*:*:*:*:*:*:*:*", "matchCriteriaId": "E829060A-3BA2-43ED-AAC9-E0E5008345DE", "versionEndIncluding": "5.5", "vulnerable": true}, {"criteria": "cpe:2.3:a:automatedlogic:i-vu:*:*:*:*:*:*:*:*", "matchCriteriaId": "F476895F-3AF0-4F96-8420-E57801B03F33", "versionEndIncluding": "6.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:automatedlogic:sitescan_web:*:*:*:*:*:*:*:*", "matchCriteriaId": "3F6C18E1-2165-49FE-B351-56BF2B3142A1", "versionEndIncluding": "5.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:automatedlogic:sitescan_web:*:*:*:*:*:*:*:*", "matchCriteriaId": "701AF14C-15DE-496A-8077-53D6BF3C80DC", "versionEndIncluding": "5.5", "vulnerable": true}, {"criteria": "cpe:2.3:a:automatedlogic:sitescan_web:*:*:*:*:*:*:*:*", "matchCriteriaId": "5A35BFAD-0A53-438B-8A7A-78F92210DDE4", "versionEndIncluding": "6.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:carrier:automatedlogic_webctrl:*:*:*:*:*:*:*:*", "matchCriteriaId": "A41C3278-DB17-488C-BFEF-AA51B8289DD0", "versionEndIncluding": "5.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:carrier:automatedlogic_webctrl:*:*:*:*:*:*:*:*", "matchCriteriaId": "27E012C0-3E9B-484C-A697-B39DF43F0F69", "versionEndIncluding": "5.5", "vulnerable": true}, {"criteria": "cpe:2.3:a:carrier:automatedlogic_webctrl:*:*:*:*:*:*:*:*", "matchCriteriaId": "D2A6E893-4D91-4D54-A831-B47F792FC6E6", "versionEndIncluding": "6.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:carrier:automatedlogic_webctrl:*:*:*:*:*:*:*:*", "matchCriteriaId": "E912DDD9-081A-49A1-9CD5-9127B676A190", "versionEndIncluding": "6.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A Path Traversal issue was discovered in Automated Logic Corporation (ALC) ALC WebCTRL, i-Vu, SiteScan Web prior to 6.5; ALC WebCTRL, SiteScan Web 6.1 and prior; ALC WebCTRL, i-Vu 6.0 and prior; ALC WebCTRL, i-Vu, SiteScan Web 5.5 and prior; and ALC WebCTRL, i-Vu, SiteScan Web 5.2 and prior. An authenticated attacker may be able to overwrite files that are used to execute code. This vulnerability does not affect version 6.5 of the software."}, {"lang": "es", "value": "Se ha descubierto un problema de salto de directorio en Automated Logic Corporation (ALC) ALC WebCTRL, i-Vu, SiteScan Web en versiones anteriores a la 6.5; ALC WebCTRL, SiteScan Web 6.1 y anteriores; ALC WebCTRL, i-Vu 6.0 y anteriores; ALC WebCTRL, i-Vu, SiteScan Web 5.5 y anteriores; y ALC WebCTRL, i-Vu, SiteScan Web 5.2 y anteriores. Un atacante autenticado podr\u00eda ser capaz de sobrescribir archivos que se emplean para ejecutar c\u00f3digo. Esta vulnerabilidad no afecta a la versi\u00f3n 6.5 del software."}], "id": "CVE-2017-9640", "lastModified": "2021-07-27T19:25:56.903", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-08-25T19:29:00.410", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/100452"}, {"source": "ics-cert@hq.dhs.gov", "tags": ["Mitigation", "Third Party Advisory", "US Government Resource"], "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-234-01"}, {"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://www.exploit-db.com/exploits/42543/"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-22"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}