Vulnerability Note VU#893462
Thomson Reuters Velocity Analytics Vhayu Analytic Server version 6.9.4 build 2995 contains a code injection vulnerability
Thomson Reuters Velocity Analytics Vhayu Analytic Server version 6.94 build 2995 and possibly earlier versions contain a code injection vulnerability (CWE-94).
CWE-94: Improper Control of Generation of Code ('Code Injection')
Thomson Reuters Velocity Analytics Vhayu Analytic Server version 6.94 build 2995 and possibly earlier versions contain a code injection vulnerability. By default, this software package is configured to run with system privileges. A remote unauthenticated attacker can craft a URL that utilizes the software's file import function to upload malicious files or execute arbitrary code.
A remote unauthenticated attacker may be able to upload malicious files or execute arbitrary code with system privileges.
Restrict access to the Analytic Server interface
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Thomson Reuters||Affected||16 Oct 2013||23 Jan 2014|
CVSS Metrics (Learn More)
Thanks to Eduardo Gonzalez Lainez for reporting this vulnerability.
This document was written by Adam Rauf.
- CVE IDs: CVE-2013-5912
- Date Public: 21 Nov 2013
- Date First Published: 22 Nov 2013
- Date Last Updated: 18 Oct 2017
- Document Revision: 37
If you have feedback, comments, or additional information about this vulnerability, please send us email.