Service Desk Vulnerability in the Access Control Enforcement of the File Download Functionality (CVE-2016-1594)

  • 7017429
  • 30-Mar-2016
  • 04-Apr-2016

Environment

Novell Service Desk 7.0.3
Novell Service Desk 7.1

Situation

There was a vulnerability in the access control enforcement of the file download functionality that may have allowed a remote attacker authenticated as a non-privileged user to read arbitrary file attachments from other users in the system.

This has been reported as CVE-2016-1594.

Resolution

This has been fixed in Micro Focus Service Desk 7.2.

Additional Information

Thanks to Pedro Ribeiro (pedrib@gmail.com) from Agile Information Security for discovering and reporting this vulnerability.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.