High

CVE-2004-0204 - Unspecified vulnerability in multiple products

Publication: 2004-08-06
Summary

Directory traversal vulnerability in the web viewers for Business Objects Crystal Reports 9 and 10, and Crystal Enterprise 9 or 10, as used in Visual Studio .NET 2003 and Outlook 2003 with Business Contact Manager, Microsoft Business Solutions CRM 1.2, and other products, allows remote attackers to read and delete arbitrary files via ".." sequences in the dynamicimag argument to crystalimagehandler.aspx.

Risk level (CVSS 7.5)

High

7.5

Access Vector

  • Network
  • Adjacent Network
  • Local

Access Complexity

  • Low
  • Medium
  • High

Authentication

  • None
  • Single
  • Multiple

Confident. Impact

  • Complete
  • Partial
  • None

Integrity Impact

  • Complete
  • Partial
  • None

Affected Products

  • Microsoft Business Solutions CRM 1.2
  • BEA Weblogic Server 8.1
  • BEA Weblogic Server 8.1
  • BEA Weblogic Server 8.1
  • BEA Weblogic Server 8.1
  • BEA Weblogic Server 8.1
  • BEA Weblogic Server 8.1
  • BEA Weblogic Server 8.1
  • BEA Weblogic Server 8.1
  • BEA Weblogic Server 8.1
  • Businessobjects Crystal Enterprise Java SDK 8.5
  • Businessobjects Crystal Enterprise RAS 8.5
  • Businessobjects Crystal Enterprise 9
  • Businessobjects Crystal Reports 9
  • Businessobjects Crystal Enterprise 10
  • Businessobjects Crystal Reports 10
  • Microsoft Visual Studio .NET 2003
  • Microsoft Outlook 2003
  • Borland Software J Builder