← back
CVE-2017-9812

CVE-2017-9812

EPSS 11.3%
The reportId parameter of the getReportStatus action method can be abused in the web interface in Kaspersky Anti-Virus for Linux File Server before Maintenance Pack 2 Critical Fix 4 (version 8.0.4.312) to read arbitrary files with kluser privileges.
Affected products
n/a · n/a
public PoCs found3
cve_referencepacketstormsecurity.com/files/143190/Kaspersky-Anti-Virus-File-Server-8.0.3.297-XSS-CSRF-Code-Execution.htmlunverifiedcve_referencewww.exploit-db.com/exploits/42269/unverifiedexploitdbwww.exploit-db.com/exploits/42269unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://packetstormsecurity.com/files/143190/Kaspersky-Anti-Virus-File-Server-8.0.3.297-XSS-CSRF-Code-Execution.htmlhttp://seclists.org/fulldisclosure/2017/Jun/33https://www.coresecurity.com/advisories/kaspersky-anti-virus-file-server-multiple-vulnerabilitieshttps://www.exploit-db.com/exploits/42269/http://www.securityfocus.com/bid/99330http://www.securitytracker.com/id/1038798