ALC WebCTRL/i-Vu/SiteScan Vulnerabilities: Path Traversal, Unquoted Search Path, Dangerous Upload (CVE-2017-9644/9640/9650)

Critical Vulnerability Information CVE Code and Severity - CVSS v3: 8.3 - Severity: Remotely exploitable/low skill level to exploit. Vulnerabilities - Unquoted Search Path or Element: CVE-2017-9644 (CVSS: 4.2) - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): CVE-2017-9640 (CVSS: 6.3) - Unrestricted Upload of File with Dangerous Type: CVE-2017-9650 (CVSS: 8.3) Affected Products - ALC WebCTRL, i-Vu, SiteScan Web 6.5 and prior - ALC WebCTRL, SiteScan Web 6.1 and prior - ALC WebCTRL, i-Vu 6.0 and prior - ALC WebCTRL, i-Vu, SiteScan Web 5.5 and prior - ALC WebCTRL, i-Vu, SiteScan Web 5.2 and prior Impact - Successful exploitation could allow an authenticated user to elevate privileges and execute arbitrary code on the system. Mitigation - Upgrade to supported versions 6.0 and greater - Follow vendor guidelines for installation and maintenance - Apply specific patches released by ALC Researcher - Identifying vulnerabilities: Gjoko Krstic from Zero Science Lab Additional Information - CVSS vectors for each vulnerability - Recommended practices for control systems security - No known public exploits target these vulnerabilities.

Goal Reached Thanks to every supporter — we hit 100%!

ALC WebCTRL/i-Vu/SiteScan Vulnerabilities: Path Traversal, Unquoted Search Path, Dangerous Upload (CVE-2017-9644/9640/9650)