CVE-2020-14946 : downloadFile.ashx in the Administrator section of the Surveillance module in Glo

downloadFile.ashx in the Administrator section of the Surveillance module in Global RADAR BSA Radar 1.6.7234.24750 and earlier allows users to download transaction files. When downloading the files, a user is able to view local files on the web server by manipulating the FileName and FilePath parameters in the URL, or while using a proxy. This vulnerability could be used to view local sensitive files or configuration files.

Published 2020-06-22 22:15:13

Updated 2023-01-30 20:00:48

Source MITRE

View at NVD, CVE.org

Vulnerability category: Directory traversal

Products affected by CVE-2020-14946

Globalradar » Bsa Radar
Versions up to, including, (<=) 1.6.7234.24750
cpe:2.3:a:globalradar:bsa_radar:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2020-14946

EPSS FAQ

1.20%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 85 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2020-14946

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.0	MEDIUM	AV:N/AC:L/Au:S/C:P/I:N/A:N	8.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: Single Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None
4.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N	2.8	1.4	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: Low Integrity: None Availability: None

CWE ids for CVE-2020-14946

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2020-14946

https://github.com/wsummerhill/BSA-Radar_CVE-Vulnerabilities/blob/master/CVE-2020-14946%20-%20Local%20File%20Inclusion.md

BSA-Radar_CVE-Vulnerabilities/CVE-2020-14946 - Local File Inclusion.md at master · wsummerhill/BSA-Radar_CVE-Vulnerabilities · GitHub
Exploit;Third Party Advisory
https://github.com/wsummerhill/BSA-Radar_CVE-Vulnerabilities

GitHub - wsummerhill/BSA-Radar_CVE-Vulnerabilities: CVE submissions for the Global Radar - BSA Radar banking application
Third Party Advisory

CVEs referencing this url
http://packetstormsecurity.com/files/158420/BSA-Radar-1.6.7234.24750-Local-File-Inclusion.html

BSA Radar 1.6.7234.24750 Local File Inclusion ≈ Packet Storm
Exploit;Third Party Advisory;VDB Entry

Jump to

Vulnerability Details : CVE-2020-14946

Products affected by CVE-2020-14946

Exploit prediction scoring system (EPSS) score for CVE-2020-14946

CVSS scores for CVE-2020-14946

CWE ids for CVE-2020-14946

References for CVE-2020-14946