Lucene search

[email protected]CVE-2008-2044

HistoryMay 01, 2008 - 7:05 p.m.

CVE-2008-2044

2008-05-0119:05:00

CWE-94

[email protected]

web.nvd.nist.gov

cve-2008-2044

netoffice dwins

authentication bypass

code execution

php

security vulnerability

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

7.9 High

AI Score

Confidence

Low

0.123 Low

EPSS

Percentile

95.4%

JSON

includes/library.php in netOffice Dwins 1.3 p2 compares the demoSession variable to the ‘true’ string literal instead of the true boolean literal, which allows remote attackers to bypass authentication and execute arbitrary code by setting this variable to 1, as demonstrated by uploading a PHP script via an add action to projects_site/uploadfile.php.

Affected configurations

NVD

Node

netofficedwinsMatch1.3

CPENameOperatorVersion
netoffice:dwinsnetoffice dwinseq1.3

CPE	Name	Operator	Version
netoffice:dwins	netoffice dwins	eq	1.3

References

netofficedwins.sourceforge.net/modules/news/article.php?storyid=47

secunia.com/advisories/29193

securityreason.com/securityalert/3845

sourceforge.net/forum/forum.php?forum_id=814851

www.securityfocus.com/archive/1/488958

www.securityfocus.com/archive/1/491542/100/0/threaded

www.securityfocus.com/bid/28051

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

7.9 High

AI Score

Confidence

Low

0.123 Low

EPSS

Percentile

95.4%

JSON

Related for CVE-2008-2044

nessus1 cvelist1 nvd1 prion1