Description
Business Objects WebIntelligence 2.7.0 through 2.7.4 only enforces access controls on the client, which allows remote authenticated users to delete arbitrary files on the server via a crafted delete request using the InfoView web client.
Affected products
- businessobjects / infoview5.1.4 – 5.1.4
- businessobjects / infoview5.1.5 – 5.1.5
- businessobjects / infoview5.1.6 – 5.1.6
- businessobjects / infoview5.1.7 – 5.1.7
- businessobjects / infoview5.1.8 – 5.1.8
- businessobjects / webintelligence2.7 – 2.7
- businessobjects / webintelligence2.7.1 – 2.7.1
- businessobjects / webintelligence2.7.2 – 2.7.2
- businessobjects / webintelligence2.7.3 – 2.7.3
- businessobjects / webintelligence2.7.4 – 2.7.4
References
- MISChttps://exchange.xforce.ibmcloud.com/vulnerabilities/17422
- MISChttp://archives.neohapsis.com/archives/vulnwatch/2004-q3/0056.html
- VENDOR_ADVISORYhttp://secunia.com/advisories/12587/
- MISChttp://www.securityfocus.com/bid/11208
- MAILING_LISThttp://lists.grok.org.uk/pipermail/full-disclosure/2004-September/026549.html