Environment
Novell Service Desk 7.0.3
Novell Service Desk 7.1
Novell Service Desk 7.1
Situation
There was a path traversal vulnerability in the import users
functionality that may have allowed a remote attacker authenticated
as an administrative user to upload arbitrary files to the server.
Depending on the payload and placement of the uploaded file, this
could lead to remote code execution.
This has been reported as CVE-2016-1593.
This has been reported as CVE-2016-1593.
Resolution
This is fixed in Micro Focus Service Desk 7.2.
Additional Information
Thanks to Pedro Ribeiro (pedrib@gmail.com) from Agile Information
Security for discovering and reporting this vulnerability.