CVE-2013-0501

The EdrawSoft EDOFFICE.EDOfficeCtrl.1 ActiveX control, as used in Edraw Office Viewer Component, the client in IBM Cognos Disclosure Management (CDM) 10.2.0, and other products, allows remote attackers to read arbitrary files, or download an arbitrary program onto a client machine and execute this program, via a crafted web site.

CVSS v2.0 9.3 HIGH

9.3^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:M/Au:N/C:C/I:C/A:C

Exploitability : 8.6 / Impact : 10.0

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
http://www.ibm.com/support/docview.wss?uid=swg21627070	Vendor Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/82345
http://www.ibm.com/support/docview.wss?uid=swg21627070	Vendor Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/82345

Configurations

Configuration 1 (hide)

cpe:2.3:a:ibm:cognos_disclosure_management:10.2.0:*:*:*:*:*:*:*

History

21 Nov 2024, 01:47

Type	Values Removed	Values Added
References	~~() http://www.ibm.com/support/docview.wss?uid=swg21627070 - Vendor Advisory~~	() http://www.ibm.com/support/docview.wss?uid=swg21627070 - Vendor Advisory
References	~~() https://exchange.xforce.ibmcloud.com/vulnerabilities/82345 -~~	() https://exchange.xforce.ibmcloud.com/vulnerabilities/82345 -

Information

Published : 2013-04-12 19:55

Updated : 2024-11-21 01:47

NVD link : CVE-2013-0501

Mitre link : CVE-2013-0501

CVE.ORG link : CVE-2013-0501

JSON object : View

Products Affected

ibm

cognos_disclosure_management

CWE

CWE-264

Permissions, Privileges, and Access Controls

{"id": "CVE-2013-0501", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 9.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "MEDIUM", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}]}, "published": "2013-04-12T19:55:01.890", "references": [{"url": "http://www.ibm.com/support/docview.wss?uid=swg21627070", "tags": ["Vendor Advisory"], "source": "psirt@us.ibm.com"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/82345", "source": "psirt@us.ibm.com"}, {"url": "http://www.ibm.com/support/docview.wss?uid=swg21627070", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/82345", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-264"}]}], "descriptions": [{"lang": "en", "value": "The EdrawSoft EDOFFICE.EDOfficeCtrl.1 ActiveX control, as used in Edraw Office Viewer Component, the client in IBM Cognos Disclosure Management (CDM) 10.2.0, and other products, allows remote attackers to read arbitrary files, or download an arbitrary program onto a client machine and execute this program, via a crafted web site."}, {"lang": "es", "value": "El control ActiveX EDrawSoft EDOFFICE.EDOfficeCtrl.1, tal como se utiliza en el componente Edraw Office Viewer, el cliente de IBM Cognos Disclosure Management (CDM) v10.2.0 y otros productos, permite a atacantes remotos leer archivos de su elecci\u00f3n, o descargar un programa de su elecci\u00f3n en una m\u00e1quina cliente y ejecutar este programa, a trav\u00e9s de un sitio web modificado para tal fin."}], "lastModified": "2024-11-21T01:47:41.523", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ibm:cognos_disclosure_management:10.2.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A6463884-7782-4EC0-ADD8-126C31A68525"}], "operator": "OR"}]}], "sourceIdentifier": "psirt@us.ibm.com"}