CVE-2017-9812

Published: Jul 17, 2017Modified: May 13, 2026

7.5

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

The reportId parameter of the getReportStatus action method can be abused in the web interface in Kaspersky Anti-Virus for Linux File Server before Maintenance Pack 2 Critical Fix 4 (version 8.0.4.312) to read arbitrary files with kluser privileges.

Affected (1)

Products: Kaspersky: Anti Virus For Linux Server

Kaspersky

1 product

Anti Virus For Linux Server

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Kaspersky Anti Virus For Linux Server	Up to 8.0.3.297

Related CWEs

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

References (12)

http://packetstormsecurity.com/files/143190/Kaspersky-Anti-Virus-File-Server-8.0.3.297-XSS-CSRF-Code-Execution.html

Source: cve@mitre.org

ExploitThird Party AdvisoryVDB Entry

http://seclists.org/fulldisclosure/2017/Jun/33

Source: cve@mitre.org

ExploitMailing ListThird Party AdvisoryVDB Entry

http://www.securityfocus.com/bid/99330

Source: cve@mitre.org

Third Party AdvisoryVDB Entry

http://www.securitytracker.com/id/1038798

Source: cve@mitre.org

Third Party AdvisoryVDB Entry

https://www.coresecurity.com/advisories/kaspersky-anti-virus-file-server-multiple-vulnerabilities

Source: cve@mitre.org

ExploitThird Party Advisory

https://www.exploit-db.com/exploits/42269/

Source: cve@mitre.org

http://packetstormsecurity.com/files/143190/Kaspersky-Anti-Virus-File-Server-8.0.3.297-XSS-CSRF-Code-Execution.html