Vulnerability Description
Directory traversal vulnerability in the web viewers for Business Objects Crystal Reports 9 and 10, and Crystal Enterprise 9 or 10, as used in Visual Studio .NET 2003 and Outlook 2003 with Business Contact Manager, Microsoft Business Solutions CRM 1.2, and other products, allows remote attackers to read and delete arbitrary files via ".." sequences in the dynamicimag argument to crystalimagehandler.aspx.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Bea | Weblogic Server | 8.1 |
| Borland Software | J Builder | All versions |
| Businessobjects | Crystal Enterprise | 9 |
| Businessobjects | Crystal Enterprise Java Sdk | 8.5 |
| Businessobjects | Crystal Enterprise Ras | 8.5 |
| Businessobjects | Crystal Reports | 9 |
| Microsoft | Business Solutions Crm | 1.2 |
| Microsoft | Outlook | 2003 |
| Microsoft | Visual Studio .Net | 2003 |
References
- http://marc.info/?l=bugtraq&m=108360413811017&w=2
- http://marc.info/?l=bugtraq&m=108671836127360&w=2
- http://secunia.com/advisories/11800
- http://support.businessobjects.com/fix/hot/critical/bulletins/security_bulletin_
- http://www.osvdb.org/6748
- http://www.securityfocus.com/bid/10260ExploitPatchVendor Advisory
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2004/ms04-01
- https://exchange.xforce.ibmcloud.com/vulnerabilities/16044
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3
- http://marc.info/?l=bugtraq&m=108360413811017&w=2
- http://marc.info/?l=bugtraq&m=108671836127360&w=2
- http://secunia.com/advisories/11800
- http://support.businessobjects.com/fix/hot/critical/bulletins/security_bulletin_
- http://www.osvdb.org/6748
- http://www.securityfocus.com/bid/10260ExploitPatchVendor Advisory
FAQ
What is CVE-2004-0204?
CVE-2004-0204 is a vulnerability with a CVSS score of 7.5 (HIGH). Directory traversal vulnerability in the web viewers for Business Objects Crystal Reports 9 and 10, and Crystal Enterprise 9 or 10, as used in Visual Studio .NET 2003 and Outlook 2003 with Business Co...
How severe is CVE-2004-0204?
CVE-2004-0204 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2004-0204?
Check the references section above for vendor advisories and patch information. Affected products include: Bea Weblogic Server, Borland Software J Builder, Businessobjects Crystal Enterprise, Businessobjects Crystal Enterprise Java Sdk, Businessobjects Crystal Enterprise Ras.