ID

VAR-201301-0177


CVE

CVE-2012-6500


TITLE

Pragyan CMS of download.lib.php Vulnerable to directory traversal

Trust: 0.8

sources: JVNDB: JVNDB-2013-001090

DESCRIPTION

Directory traversal vulnerability in download.lib.php in Pragyan CMS 3.0 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the fileget parameter in a profile action to index.php. ( Dot dot ) including fileget Arbitrary files may be read via parameters. Pragyan CMS is prone to a remote file-disclosure vulnerability because it fails to properly sanitize user-supplied input. An attacker can exploit this vulnerability to view local files in the context of the webserver process, which may aid in further attacks. Pragyan CMS 3.0 is vulnerable; other versions may also be affected

Trust: 1.89

sources: NVD: CVE-2012-6500 // JVNDB: JVNDB-2013-001090 // BID: 51360

AFFECTED PRODUCTS

vendor:pragyan cmsmodel:pragyan cmsscope:lteversion:3.0

Trust: 1.8

vendor:pragyan cmsmodel:pragyan cmsscope:eqversion:2.5.12

Trust: 1.6

vendor:pragyan cmsmodel:pragyan cmsscope:eqversion:2.5.4

Trust: 1.6

vendor:pragyan cmsmodel:pragyan cmsscope:eqversion:2.6.3

Trust: 1.6

vendor:pragyan cmsmodel:pragyan cmsscope:eqversion:2.6.2

Trust: 1.6

vendor:pragyan cmsmodel:pragyan cmsscope:eqversion:2.5.9

Trust: 1.6

vendor:pragyan cmsmodel:pragyan cmsscope:eqversion:2.5.13

Trust: 1.6

vendor:pragyan cmsmodel:pragyan cmsscope:eqversion:2.5.14

Trust: 1.6

vendor:pragyan cmsmodel:pragyan cmsscope:eqversion:2.6.1

Trust: 1.6

vendor:pragyan cmsmodel:pragyan cmsscope:eqversion:2.6.4

Trust: 1.6

vendor:pragyan cmsmodel:pragyan cmsscope:eqversion:3.0

Trust: 0.6

vendor:pragyanmodel:cms pragyan cmsscope:eqversion:3.0

Trust: 0.3

sources: BID: 51360 // JVNDB: JVNDB-2013-001090 // CNNVD: CNNVD-201201-118 // NVD: CVE-2012-6500

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2012-6500
value: MEDIUM

Trust: 1.0

NVD: CVE-2012-6500
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201201-118
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2012-6500
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

sources: JVNDB: JVNDB-2013-001090 // CNNVD: CNNVD-201201-118 // NVD: CVE-2012-6500

PROBLEMTYPE DATA

problemtype:CWE-22

Trust: 1.8

sources: JVNDB: JVNDB-2013-001090 // NVD: CVE-2012-6500

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201201-118

TYPE

path traversal

Trust: 0.6

sources: CNNVD: CNNVD-201201-118

CONFIGURATIONS

sources: JVNDB: JVNDB-2013-001090

PATCH

title:Pragyan CMSurl:http://sourceforge.net/projects/pragyan

Trust: 0.8

sources: JVNDB: JVNDB-2013-001090

EXTERNAL IDS

db:NVDid:CVE-2012-6500

Trust: 2.4

db:BIDid:51360

Trust: 1.9

db:OSVDBid:82585

Trust: 1.6

db:EXPLOIT-DBid:18347

Trust: 1.6

db:JVNDBid:JVNDB-2013-001090

Trust: 0.8

db:CNNVDid:CNNVD-201201-118

Trust: 0.6

sources: BID: 51360 // JVNDB: JVNDB-2013-001090 // CNNVD: CNNVD-201201-118 // NVD: CVE-2012-6500

REFERENCES

url:http://www.securityfocus.com/bid/51360

Trust: 1.6

url:http://www.osvdb.org/82585

Trust: 1.6

url:http://www.exploit-db.com/exploits/18347

Trust: 1.6

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2012-6500

Trust: 0.8

url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2012-6500

Trust: 0.8

url:http://sourceforge.net/projects/pragyan/

Trust: 0.3

sources: BID: 51360 // JVNDB: JVNDB-2013-001090 // CNNVD: CNNVD-201201-118 // NVD: CVE-2012-6500

CREDITS

Or4nG.M4N

Trust: 0.9

sources: BID: 51360 // CNNVD: CNNVD-201201-118

SOURCES

db:BIDid:51360
db:JVNDBid:JVNDB-2013-001090
db:CNNVDid:CNNVD-201201-118
db:NVDid:CVE-2012-6500

LAST UPDATE DATE

2024-08-14T14:28:05.668000+00:00


SOURCES UPDATE DATE

db:BIDid:51360date:2012-01-10T00:00:00
db:JVNDBid:JVNDB-2013-001090date:2013-01-16T00:00:00
db:CNNVDid:CNNVD-201201-118date:2013-01-14T00:00:00
db:NVDid:CVE-2012-6500date:2013-01-23T05:00:00

SOURCES RELEASE DATE

db:BIDid:51360date:2012-01-10T00:00:00
db:JVNDBid:JVNDB-2013-001090date:2013-01-16T00:00:00
db:CNNVDid:CNNVD-201201-118date:1900-01-01T00:00:00
db:NVDid:CVE-2012-6500date:2013-01-12T04:33:49.243