CVE-2003-0456

VisNetic WebSite 3.5 allows remote attackers to obtain the full pathname of the server via a request containing a folder that does not exist, which leaks the pathname in an error message, as demonstrated using _vti_bin/fpcount.exe.

CVSS v2.0 5.0 MEDIUM

5.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0002.html	Exploit Patch Vendor Advisory
http://marc.info/?l=bugtraq&m=105733894003737&w=2
http://www.krusesecurity.dk/advisories/vis0103.txt
http://www.securityfocus.com/bid/8075	Patch Vendor Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/12483

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:deerfield:visnetic_website:3.5.13:::::::*
	cpe:2.3:a:deerfield:visnetic_website:3.5.15:::::::*
	cpe:2.3:a:deerfield:visnetic_website:3.5.17:::::::*

History

No history.

Information

Published : 2003-08-18 04:00

Updated : 2024-02-28 10:24

NVD link : CVE-2003-0456

Mitre link : CVE-2003-0456

CVE.ORG link : CVE-2003-0456

JSON object : View

Products Affected

deerfield

visnetic_website

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

{"id": "CVE-2003-0456", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2003-08-18T04:00:00.000", "references": [{"url": "http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0002.html", "tags": ["Exploit", "Patch", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "http://marc.info/?l=bugtraq&m=105733894003737&w=2", "source": "cve@mitre.org"}, {"url": "http://www.krusesecurity.dk/advisories/vis0103.txt", "source": "cve@mitre.org"}, {"url": "http://www.securityfocus.com/bid/8075", "tags": ["Patch", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/12483", "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "VisNetic WebSite 3.5 allows remote attackers to obtain the full pathname of the server via a request containing a folder that does not exist, which leaks the pathname in an error message, as demonstrated using _vti_bin/fpcount.exe."}, {"lang": "es", "value": "VisNetic WebSite 3.5 permite a atacantes remotos obtener la ruta completa del servidor mediante una petici\u00f3n conteniendo una carpeta que no existe, lo que filtra la ruta en un mensaje de error, como se demostr\u00f3 usando _vti_bin/fpcount.exe."}], "lastModified": "2017-07-11T01:29:32.383", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:deerfield:visnetic_website:3.5.13:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0C09A9D8-CEBC-452C-B6F6-1F494FBF8CDC"}, {"criteria": "cpe:2.3:a:deerfield:visnetic_website:3.5.15:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "376B1D26-E52C-4743-81CF-BE70C612531C"}, {"criteria": "cpe:2.3:a:deerfield:visnetic_website:3.5.17:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3D16BAB6-ED35-4DF8-9D15-3EFB568C0310"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}