A logged in user may be able to download arbitrary files from the server using the ViewONE Virtual platform.
CVEID: CVE-2019-4260 DESCRIPTION: IBM Daeja ViewONE Professional, Standard & Virtual could allow an unauthorized user to download server files resulting in sensitive information disclosure.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/160012> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Daeja ViewONE Virtual 5.0 - 5.0.6
Fixes for the vulnerability are included in Daeja ViewONE Virtual 5.0.5 iFix 14 and all released from Daeja ViewONE Virtual 5.0.6 iFix 2
The risk of file download can be mitigated by running the web application server with limited permissions.