CVE-2014-0358 - Vulnerability Details - OpenCVE

Multiple directory traversal vulnerabilities in Xangati XSR before 11 and XNR before 7 allow remote attackers to read arbitrary files via a .. (dot dot) in (1) the file parameter in a getUpgradeStatus action to servlet/MGConfigData, (2) the download parameter in a download action to servlet/MGConfigData, (3) the download parameter in a port_svc action to servlet/MGConfigData, (4) the file parameter in a getfile action to servlet/Installer, or (5) the binfile parameter to servlet/MGConfigData.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Xangati	Xangati Software Release Xangati Xnr

Configuration 1 [-]

OR	cpe:2.3:a:xangati:xangati_software_release:-:::::::*
	cpe:2.3:a:xangati:xangati_xnr:-:::::::*

No data.

References

Link	Providers
http://www.kb.cert.org/vuls/id/657622

History

No history.

MITRE

Status: PUBLISHED

Assigner: certcc

Published: 2014-04-15T10:00:00

Updated: 2024-08-06T09:13:10.401Z

Reserved: 2013-12-05T00:00:00

Link: CVE-2014-0358

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2014-04-15T10:55:12.120

Modified: 2025-04-12T10:46:40.837

Link: CVE-2014-0358

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2014-04-14T00:00:00", "descriptions": [{"lang": "en", "value": "Multiple directory traversal vulnerabilities in Xangati XSR before 11 and XNR before 7 allow remote attackers to read arbitrary files via a .. (dot dot) in (1) the file parameter in a getUpgradeStatus action to servlet/MGConfigData, (2) the download parameter in a download action to servlet/MGConfigData, (3) the download parameter in a port_svc action to servlet/MGConfigData, (4) the file parameter in a getfile action to servlet/Installer, or (5) the binfile parameter to servlet/MGConfigData."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2014-04-15T03:57:00", "orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc"}, "references": [{"name": "VU#657622", "tags": ["third-party-advisory", "x_refsource_CERT-VN"], "url": "http://www.kb.cert.org/vuls/id/657622"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cert@cert.org", "ID": "CVE-2014-0358", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Multiple directory traversal vulnerabilities in Xangati XSR before 11 and XNR before 7 allow remote attackers to read arbitrary files via a .. (dot dot) in (1) the file parameter in a getUpgradeStatus action to servlet/MGConfigData, (2) the download parameter in a download action to servlet/MGConfigData, (3) the download parameter in a port_svc action to servlet/MGConfigData, (4) the file parameter in a getfile action to servlet/Installer, or (5) the binfile parameter to servlet/MGConfigData."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "VU#657622", "refsource": "CERT-VN", "url": "http://www.kb.cert.org/vuls/id/657622"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T09:13:10.401Z"}, "title": "CVE Program Container", "references": [{"name": "VU#657622", "tags": ["third-party-advisory", "x_refsource_CERT-VN", "x_transferred"], "url": "http://www.kb.cert.org/vuls/id/657622"}]}]}, "cveMetadata": {"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "assignerShortName": "certcc", "cveId": "CVE-2014-0358", "datePublished": "2014-04-15T10:00:00", "dateReserved": "2013-12-05T00:00:00", "dateUpdated": "2024-08-06T09:13:10.401Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:xangati:xangati_software_release:-:*:*:*:*:*:*:*", "matchCriteriaId": "3353613E-A7F8-4B92-9E44-3D64D9A677A2", "vulnerable": true}, {"criteria": "cpe:2.3:a:xangati:xangati_xnr:-:*:*:*:*:*:*:*", "matchCriteriaId": "85EFB0AF-2ECF-44C1-94E4-33E7DA7574E8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Multiple directory traversal vulnerabilities in Xangati XSR before 11 and XNR before 7 allow remote attackers to read arbitrary files via a .. (dot dot) in (1) the file parameter in a getUpgradeStatus action to servlet/MGConfigData, (2) the download parameter in a download action to servlet/MGConfigData, (3) the download parameter in a port_svc action to servlet/MGConfigData, (4) the file parameter in a getfile action to servlet/Installer, or (5) the binfile parameter to servlet/MGConfigData."}, {"lang": "es", "value": "M\u00faltiples vulnerabilidades de salto de directorio en Xangati XSR anterior a 11 y XNR anterior a 7 permiten a atacantes remotos leer archivos arbitrarios a trav\u00e9s de un .. (punto punto) en (1) el par\u00e1metro file en una acci\u00f3n getUpgradeStatus hacia servlet/MGConfigData, (2) el par\u00e1metro download en una acci\u00f3n de descarga hacia servlet/MGConfigData, (3) el par\u00e1metro download en una acci\u00f3n port_svc hacia servlet/MGConfigData, (4) el par\u00e1metro file en una acci\u00f3n getfile hacia servlet/Installer o (5) el par\u00e1metro binfile hacia servlet/MGConfigData."}], "id": "CVE-2014-0358", "lastModified": "2025-04-12T10:46:40.837", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 7.8, "confidentialityImpact": "COMPLETE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2014-04-15T10:55:12.120", "references": [{"source": "cret@cert.org", "tags": ["US Government Resource"], "url": "http://www.kb.cert.org/vuls/id/657622"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["US Government Resource"], "url": "http://www.kb.cert.org/vuls/id/657622"}], "sourceIdentifier": "cret@cert.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}