CompanySecurity Spotlight
Return
DDI's Vulnerability Research Team Announces Discovery: DDIVRT-2013-53 Actuate 'ActuateJavaComponent' Multiple Vulnerabilities

 

Severity

--------

High

Date Discovered

---------------

March 19, 2013

Discovered By

-------------

Digital Defense, Inc. Vulnerability Research Team

Credit: Dennis Lavrinenko, Bobby Lockett, and r@b13$

1. Actuate 'ActuateJavaComponent' Arbitrary File Retrieval

Vulnerability Description

-------------------------

Actuate 10 contains a vulnerability within the 'ActuateJavaComponent'. This component allows unauthenticated attackers to retrieve arbitrary system files located outside of the web root.

Solution Description

--------------------

A solution for this security issue is not available at this time. End-users can mitigate this flaw by limiting access to affected systems through the use of access controls.

2. Actuate 'ActuateJavaComponent' Arbitrary Directory Browsing Vulnerability

Vulnerability Description

-------------------------

Actuate 10 contains an arbitrary directory browsing vulnerability within the 'ActuateJavaComponent'. This vulnerability allows the contents of any drive or directory to be browsed within the web application's interface.

Solution Description

--------------------

A solution for this security issue is not available at this time. End-users can mitigate this flaw by limiting access to affected systems through the use of access controls.

Tested Systems / Software

-------------------------

Actuate 10 Service Pack 1 Fix 4

Vendor Contact

--------------

Vendor Name: Actuate Corporation

Vendor Website: http://www.actuate.com/home/

 

Alert Center

10/23/2014 » CVE-2014-3828
Multiple SQL injection vulnerabilities in Centreon 2.5.1 and Centreon Enterprise Server 2.2 allow remote attackers to execute arbitrary SQL commands via (1) the index_id parameter to views/graphs/common/makeXML_ListMetrics.php, (2) the sid parameter to views/graphs/GetXmlTree.php, (3) the session_id parameter to views/graphs/graphStatus/displayServiceStatus.php, (4) the mnftr_id parameter to configuration/configObject/traps/GetXMLTrapsForVendor.php, or (5) the index parameter to common/javascript/commandGetArgs/cmdGetExample.php in include/. [READ ME]

Visit DDI Alert Center