CVE-2015-5970

Published: Feb 18, 2016Modified: May 6, 2026

5.3

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Exploitability: 3.9 / Impact: 1.4

Source: NVD

Description

The ChangePassword RPC method in Novell ZENworks Configuration Management (ZCM) 11.3 and 11.4 allows remote attackers to conduct XPath injection attacks, and read arbitrary text files, via a malformed query involving a system entity reference.

Affected (5)

Products: Novell: Zenworks Configuration Management

Novell

1 product

Zenworks Configuration Management

Configuration A

5 vulnerable

Vulnerable Software	Affected Versions
Novell Zenworks Configuration Management	Version 11.3.0
Novell Zenworks Configuration Management	Version 11.3.1
Novell Zenworks Configuration Management	Version 11.3.2
Novell Zenworks Configuration Management	Version 11.4.0
Novell Zenworks Configuration Management	Version 11.4.1

Related CWEs

CWE-94

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (4)

http://www.zerodayinitiative.com/advisories/ZDI-16-167

Source: security@opentext.com

https://www.novell.com/support/kb/doc.php?id=7017240

Source: security@opentext.com

http://www.zerodayinitiative.com/advisories/ZDI-16-167

Source: af854a3a-2127-422b-91ae-364da2661108

https://www.novell.com/support/kb/doc.php?id=7017240

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.