10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.944 High
EPSS
Percentile
99.2%
Added: 10/17/2013
CVE: CVE-2013-4798
BID: 61443
OSVDB: 95642
HP LoadRunner is a software performance testing solution. HP LoadRunner includes the **lrFileIOService**
ActiveX control.
HP LoadRunner before 11.52 is vulnerable to remote code execution. The **lrFileIOService**
ActiveX control exposes the **WriteFileString**
method which does not properly sanitize user supplied input. A remote attacker who persuades a user to open a crafted web page containing directory traversal style attacks (e.g. ‘…/…/’) can write a file to an arbitrary location, thereby possibly resulting in code execution.
Upgrade to HP LoadRunner 11.52 or higher as indicated in HP Security Bulletin HPSBGN02905 SSRT101083.
<http://secunia.com/advisories/54138/>
This exploit was tested against HP LoadRunner 11.50 on Windows XP SP3 English (DEP OptIn). The user must open the exploit in Internet Explorer.
Windows