Lucene search

[email protected]CVE-2014-7296

HistoryOct 08, 2014 - 7:55 p.m.

CVE-2014-7296

2014-10-0819:55:05

CWE-94

[email protected]

web.nvd.nist.gov

cve-2014-7296

spagobi

accessibility engine

remote authenticated users

arbitrary java code

crafted xsl

nvd

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

7.3 High

AI Score

Confidence

Low

0.005 Low

EPSS

Percentile

76.3%

JSON

The default configuration in the accessibility engine in SpagoBI 5.0.0 does not set FEATURE_SECURE_PROCESSING, which allows remote authenticated users to execute arbitrary Java code via a crafted XSL document.

Affected configurations

NVD

Node

engspagobiMatch5.0

CPENameOperatorVersion
eng:spagobieng spagobieq5.0

CPE	Name	Operator	Version
eng:spagobi	eng spagobi	eq	5.0

References

spagoworld.org/jira/browse/SPAGOBI-1885

www.securityfocus.com/bid/70240

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

7.3 High

AI Score

Confidence

Low

0.005 Low

EPSS

Percentile

76.3%

JSON

Related for CVE-2014-7296

cvelist1 nvd1 prion1