WARNING: This site only works in a modern, evergreen browser with javascript enabled. IE11 is not supported.
AB-2021-001

Security Advisory
AB-2021-001

Published 7 May 2021
Version 1.0.0
Severity Medium
CVSS Score CVSS 5.5 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

 

Affected Products

Control>Center
Versions 4.0.3.0, 4.0.2.5, and earlier

Overview

Local File Inclusion (LFI) vulnerability in Control>Center.

Description

An authorized and authenticated Control>Center user can exploit the log file API to read other types of files on the run host.

Impact

Files with sufficiently open file permissions can be read by an authorized and authenticated Control>Center user.

Solution

If you are using an affected version of Control>Center, we recommend that you upgrade to Version 4.0.2.6 or Version 4.0.3.1, or later.

Credits

Ab Initio thanks Gianluca Palma of Engineering Ingegneria Informatica S.p.A. for responsibly reporting the identified issue and working with us as we addressed it.