Summary
A directory traversal vulnerability exists in Crystal Reports and Crystal Enterprise from Business Objects that could allow Information Disclosure and Denial of Service attacks on an affected system. An attacker who successfully exploited the vulnerability could retrieve and delete files through the Crystal Reports and Crystal Enterprise Web interface on an affected system.
Solution
Microsoft has released a patch to fix this issue, download it from the following website: http://www.microsoft.com/technet/security/bulletin/ms04-017.mspx
Visual Studio .NET 2003:
http://www.microsoft.com/downloads/details.aspx?FamilyId=659CA40E-808D-431D-A7D3-33BC3ACE922D&displaylang=en Outlook 2003 with Business Contact Manager:
http://www.microsoft.com/downloads/details.aspx?FamilyId=9016B9F3-BA86-4A95-9D89-E120EF2E85E3&displaylang=en Microsoft Business Solutions CRM 1.2:
http://go.microsoft.com/fwlink/?LinkId=30127
Severity
Classification
-
CVE CVE-2004-0204 -
CVSS Base Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
Related Vulnerabilities
- Microsoft 'hxvz.dll' ActiveX Control Memory Corruption Vulnerability (948881)
- Microsoft Comctl32 Integer Overflow Vulnerability (2864058)
- Microsoft .NET Framework Privilege Elevation Vulnerability (2800277)
- Microsoft .NET Common Language Runtime Remote Code Execution Vulnerability (2265906)
- Microsoft Ancillary Function Driver Elevation of Privilege Vulnerability (956803)