CVE-2009-0244

8.8HIGH

Key Information:

Vendor
Microsoft
Status
Windows Mobile
Vendor
CVE Published:
21 January 2009

Summary

Directory traversal vulnerability in the OBEX FTP Service in the Microsoft Bluetooth stack in Windows Mobile 6 Professional, and probably Windows Mobile 5.0 for Pocket PC and 5.0 for Pocket PC Phone Edition, allows remote authenticated users to list arbitrary directories, and create or read arbitrary files, via a .. (dot dot) in a pathname. NOTE: this can be leveraged for code execution by writing to a Startup folder.

References

http://secunia.com/advisories/33598
third-party-advisoryx_refsource_SECUNIA
http://www.seguridadmobile.com/windows-mobile/windows-mob...
x_refsource_MISC
http://www.securityfocus.com/archive/1/500199/100/0/threaded
mailing-listx_refsource_BUGTRAQ

EPSS Score

2% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Collectors

NVD DatabaseMitre Database
.