JVNVU#94198685
QND Advance/Standard vulnerable to directory traversal
Overview
QND Advance/Standard provided by QualitySoft Corporation contains a directory traversal vulnerability.
Products Affected
- QND Advance/Standard all versions
Description
QND Advance/Standard provided by QualitySoft Corporation contains a directory traversal vulnerability (CWE-22) in an administrative server due to the issue in processing input from an agent program.
An administrative server does not require authentication in the communication between a server and an agent program either, therefore an arbitrary request from an arbitrary device with access to an administrative server can be sent and processed.
Impact
If an administrative server processes a specially crafted command, an arbitrary file in the administrative server may be obtained or altered.
Solution
Update the Software
Apply the latest update according to the information provided by the developer.
Vendor Status
| Vendor | Link |
| QualitySoft Corporation | About a vulnerability found in QND Advance/Standard |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
| Access Vector(AV) | Local (L) | Adjacent Network (A) | Network (N) |
|---|---|---|---|
| Access Complexity(AC) | High (H) | Medium (M) | Low (L) |
| Authentication(Au) | Multiple (M) | Single (S) | None (N) |
| Confidentiality Impact(C) | None (N) | Partial (P) | Complete (C) |
| Integrity Impact(I) | None (N) | Partial (P) | Complete (C) |
| Availability Impact(A) | None (N) | Partial (P) | Complete (C) |
Credit
Muneaki Nishimura of of Recruit Technologies Co.,Ltd. RED TEAM reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated with the developer.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2017-10861 |
| JVN iPedia |
|