Service Desk Path Traversal Vulnerability (CVE-2016-1593)

  • 7017428
  • 30-Mar-2016
  • 04-Apr-2016

Environment

Novell Service Desk 7.0.3
Novell Service Desk 7.1

Situation

There was a path traversal vulnerability in the import users functionality that may have allowed a remote attacker authenticated as an administrative user to upload arbitrary files to the server. Depending on the payload and placement of the uploaded file, this could lead to remote code execution.

This has been reported as CVE-2016-1593.

Resolution

This is fixed in Micro Focus Service Desk 7.2.

Additional Information

Thanks to Pedro Ribeiro (pedrib@gmail.com) from Agile Information Security for discovering and reporting this vulnerability.