Path Traversal Arbitrary File Read affects DRYiCE MyXalytics
CVE-2023-45722

8.8HIGH

Key Information:

Vendor: HCL Software
Status: DRYiCE MyXalytics
Vendor: CVE Published:; 3 January 2024

Summary

HCL DRYiCE MyXalytics is prone to a path traversal vulnerability that allows for arbitrary file reading. This issue arises due to the application's method of handling external input when constructing file paths, particularly those intended to be confined within a restricted parent directory. The vulnerability stems from inadequate neutralization of special characters in the input, which enables attackers to craft malicious pathnames. If exploited, the attacker could potentially access sensitive files located beyond the intended directory boundaries, which may lead to significant disruptions and unauthorized control over the application.

Affected Version(s)

DRYiCE MyXalytics 5.9, 6.0, 6.1

References

https://support.hcltechsw.com/csm?id=kb_article&sysparm_a...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 3, 2024
Vulnerability Reserved
Oct 10, 2023