Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2016-4360

web/admin/data.js in the Performance Center Virtual Table Server (VTS) component in HPE LoadRunner 11.52 through patch 3, 12.00 through patch 1, 12.01 through patch 3, 12.02 through patch 2, and 12.50 through patch 3 and Performance Center 11.52 through patch 3, 12.00 through patch 1, 12.01 through patch 3, 12.20 through patch 2, and 12.50 through patch 1 do not restrict file paths sent to an unlink call, which allows remote attackers to delete arbitrary files via the path parameter to data/import_csv, aka ZDI-CAN-3555.

Published

2016-06-08T14:59:42.313

Last Modified

2025-04-12T10:46:40.837

Status

Deferred

Source

[email protected]

Severity

CVSSv3.0: 9.1 (CRITICAL)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:N/I:P/A:P

  • Access Vector: NETWORK
  • Access Complexity: LOW
  • Authentication: NONE
  • Confidentiality Impact: NONE
  • Integrity Impact: PARTIAL
  • Availability Impact: PARTIAL
Exploitability Score

10.0

Impact Score

4.9

Weaknesses
  • Type: Primary
    NVD-CWE-noinfo
Affected Vendors & Products
Type Vendor Product Version/Range Vulnerable?
Application hp loadrunner 11.52 Yes
Application hp loadrunner 12.00 Yes
Application hp loadrunner 12.01 Yes
Application hp loadrunner 12.02 Yes
Application hp loadrunner 12.50 Yes
Application hp performance_center 11.52 Yes
Application hp performance_center 12.00 Yes
Application hp performance_center 12.01 Yes
Application hp performance_center 12.20 Yes
Application hp performance_center 12.50 Yes
References