Summary
This web application is running with the Vaadin Framework which is prone to information-disclosure because the application fails to properly sanitize user-supplied input.
Impact
A remote user who has access to a portlet on the portal could be able to read files in the portlet deployment directory using specially crafted resource requests provided the attacker knows the file name.
Solution
Upgrade to Vaadin Framework version 6.8.10 or later / 7.0.4 or later For updates refer to http://www.vaadin.com/releases
Insight
This flaw exists due to an existing unused code from AbstractApplicationPortlet.
Affected
Vaadin Framework versions from 6.2.0 up to 6.8.9 / from 7.0.0 up to 7.0.3
Detection
Check the version.
References
Severity
Classification
-
CVSS Base Score: 5.0
AV:N/AC:L/Au:N/C:P/I:N/A:N
Related Vulnerabilities
- APC PowerChute Network Shutdown 'security/applet' Cross Site Scripting Vulnerability
- Adobe JRun Management Console Multiple Vulnerabilities
- Apache Struts CookBook/Examples Multiple Cross-Site Scripting Vulnerabilities
- Apache OFBiz Multiple Cross Site Scripting Vulnerabilities
- @Mail WebMail Email Body HTML Injection Vulnerability