Vulnerabilities > CVE-2010-0689 - Remote Command Execution vulnerability in DateV 'DVBSExeCall.ocx' ActiveX Control

CVSS 10.0 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

network

low complexity

datev

critical

NVD

Published: 2010-02-26

Updated: 2018-10-10

Summary

The ExecuteExe method in the DVBSExeCall Control ActiveX control 1.0.0.1 in DVBSExeCall.ocx in DATEV Base System (aka Grundpaket Basis) allows remote attackers to execute arbitrary commands via unspecified vectors. Per: http://cwe.mitre.org/data/definitions/77.html "CWE-77: Improper Sanitization of Special Elements used in a Command ('Command Injection')"

Vulnerable Configurations

Part	Description	Count
Application	Datev Datev Base System *	1

References

http://osvdb.org/62564
http://secunia.com/advisories/38716
http://sotiriu.de/adv/NSOADV-2010-003.txt
http://sotiriu.de/demos/videos/nso-2010-003.html
http://www.datev.de/info-db/1080162
http://www.securityfocus.com/archive/1/509743/100/0/threaded
http://www.securityfocus.com/bid/38415
http://www.vupen.com/english/advisories/2010/0474
https://exchange.xforce.ibmcloud.com/vulnerabilities/56530