CVE-2019-19992

Published: Feb 26, 2020Modified: Nov 21, 2024

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

An issue was discovered in Selesta Visual Access Manager (VAM) 4.15.0 through 4.29. A user with valid credentials is able to read XML files on the filesystem via the web interface. The PHP page /common/vam_editXml.php doesn't check the parameter that identifies the file name to be read. Thus, an attacker can manipulate the file name to access a potentially sensitive file within the filesystem.

Affected (1)

Products: Seling: Visual Access Manager

1 product

Visual Access Manager

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Seling Visual Access Manager	From 4.15.0 to 4.29.0

Related CWEs

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References (6)

https://www.seling.it/

Source: cve@mitre.org

Product

https://www.seling.it/product/vam/

Source: cve@mitre.org

ProductVendor Advisory

https://www.telecomitalia.com/tit/it/innovazione/cybersecurity/red-team.html

Source: cve@mitre.org

ExploitThird Party Advisory

https://www.seling.it/

Source: af854a3a-2127-422b-91ae-364da2661108

Product

https://www.seling.it/product/vam/

Source: af854a3a-2127-422b-91ae-364da2661108

ProductVendor Advisory

https://www.telecomitalia.com/tit/it/innovazione/cybersecurity/red-team.html

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.