CHT Security Red Team Discovered Vulnerability in Well-Known Opentext PVCS Version Manager

Summary

Vulnerability List

[CVE-2024-1147] – Arbitrary File Download

[CVE-2024-1148] – Arbitrary File Upload


Details

1. Arbitrary File Download

Description

The download function allows attackers to download files from the server without proper authentication and input validation.

Impact

Attacker can download the files of the target machine for further analysis, possibly sensitive information or even execute arbitrary code.

Known Affected Software

  • Version between 8.6.3 and 8.6.3.2.

Credits

  • redblaze (CHT Security)

2. Arbitrary File Upload

Description

The upload function allows attackers to upload files to the server without proper authentication and input validation.

Impact

Attacker can upload malicious files to target machine, achieving remote code execution.

Known Affected Software

  • Version between 8.6.3 and 8.6.3.2.

Credits

  • redblaze (CHT Security)