CVE-2015-4684 : Multiple directory traversal vulnerabilities in Polycom RealPresence Resource Ma

Multiple directory traversal vulnerabilities in Polycom RealPresence Resource Manager (aka RPRM) before 8.4 allow (1) remote authenticated users to read arbitrary files via a .. (dot dot) in the Modifier parameter to PlcmRmWeb/FileDownload; or remote authenticated administrators to upload arbitrary files via the (2) Filename or (3) SE_FNAME parameter to PlcmRmWeb/FileUpload or to read and remove arbitrary files via the (4) filePathName parameter in an importSipUriReservations SOAP request to PlcmRmWeb/JUserManager.

Published 2017-09-19 19:29:00

Updated 2018-10-09 19:57:17

Source MITRE

View at NVD, CVE.org

Vulnerability category: Directory traversal

Products affected by CVE-2015-4684

Polycom » Realpresence Resource Manager
Versions up to, including, (<=) 8.3.2
cpe:2.3:a:polycom:realpresence_resource_manager:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2015-4684

EPSS FAQ

12.42%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 93 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2015-4684

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.5	MEDIUM	AV:N/AC:L/Au:S/C:P/I:P/A:N	8.0	4.9	NIST
Access Vector: Network Access Complexity: Low Authentication: Single Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: None
6.5	MEDIUM	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N	1.2	5.2	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: High User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: None

CWE ids for CVE-2015-4684

CWE-255

Assigned by: nvd@nist.gov (Primary)

References for CVE-2015-4684

https://support.polycom.com/global/documents/support/documentation/Security_Center_Post_for_RPRM_CVEs.pdf

404 Not Found
Vendor Advisory

CVEs referencing this url
https://www.exploit-db.com/exploits/37449/

Polycom RealPresence Resource Manager < 8.4 - Multiple Vulnerabilities
Exploit;Third Party Advisory;VDB Entry

CVEs referencing this url
http://www.securityfocus.com/bid/75432

Polycom RealPresence Resource Manager Multiple Security vulnerabilities
Third Party Advisory;VDB Entry

CVEs referencing this url
http://packetstormsecurity.com/files/132463/Polycom-RealPresence-Resource-Manager-RPRM-Disclosure-Traversal.html

Polycom RealPresence Resource Manager (RPRM) Disclosure / Traversal ≈ Packet Storm
Third Party Advisory;VDB Entry

CVEs referencing this url
http://www.securityfocus.com/archive/1/535852/100/0/threaded

SecurityFocus

CVEs referencing this url
http://seclists.org/fulldisclosure/2015/Jun/81

Full Disclosure: SEC Consult SA-20150626-0 :: Critical vulnerabilities in Polycom RealPresence Resource Manager (RPRM) allow surveillance on conferences
Exploit;Mailing List;Third Party Advisory;VDB Entry

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2015-4684

Products affected by CVE-2015-4684

Exploit prediction scoring system (EPSS) score for CVE-2015-4684

CVSS scores for CVE-2015-4684

CWE ids for CVE-2015-4684

References for CVE-2015-4684