IBM042EA3D958A917A0722F0BBA1681611BB04B3081CED3CAA8DBE92F72764FC315Security Bulletin: It is possible to download arbitrary server files via ViewONE server (CVE-2019-4260)
EPSS
Percentile
27.9%
Summary
A logged in user may be able to download arbitrary files from the server using the ViewONE Virtual platform.
Vulnerability Details
CVEID: CVE-2019-4260 DESCRIPTION: IBM Daeja ViewONE Professional, Standard & Virtual could allow an unauthorized user to download server files resulting in sensitive information disclosure.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/160012> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Affected Products and Versions
Daeja ViewONE Virtual 5.0 - 5.0.6
Remediation/Fixes
Fixes for the vulnerability are included in Daeja ViewONE Virtual 5.0.5 iFix 14 and all released from Daeja ViewONE Virtual 5.0.6 iFix 2
Workarounds and Mitigations
The risk of file download can be mitigated by running the web application server with limited permissions.
Related
EPSS
Percentile
27.9%