CVE-2012-2421

Absolute path traversal vulnerability in the intu-help-qb (aka Intuit Help System Async Pluggable Protocol) handlers in HelpAsyncPluggableProtocol.dll in Intuit QuickBooks 2009 through 2012, when Internet Explorer is used, might allow remote attackers to read arbitrary files in ZIP archives via a full pathname in the URI.

CVSS v2.0 1.8 LOW

1.8^/10

CVSS v2.0 : LOW

V2 Legend

Vector : AV:A/AC:H/Au:N/C:P/I:N/A:N

Exploitability : 3.2 / Impact : 2.9

Access Vector ADJACENT_NETWORK

Access Complexity HIGH

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
http://www.kb.cert.org/vuls/id/232979	US Government Resource
http://www.securityfocus.com/archive/1/522139
https://exchange.xforce.ibmcloud.com/vulnerabilities/75172

Configurations

Configuration 1 (hide)

AND

OR	cpe:2.3:a:intuit:quickbooks:2012:::::::*
	cpe:2.3:a:intuit:quickbooks:2009:::::::*
	cpe:2.3:a:intuit:quickbooks:2010:::::::*
	cpe:2.3:a:intuit:quickbooks:2011:::::::*

cpe:2.3:a:microsoft:internet_explorer:*:*:*:*:*:*:*:*

Information

Published : 2012-04-25 13:55

Updated : 2021-07-23 08:12

NVD link : CVE-2012-2421

Mitre link : CVE-2012-2421

JSON object : View

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Products Affected

intuit

quickbooks

microsoft

internet_explorer

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "http://www.kb.cert.org/vuls/id/232979", "name": "VU#232979", "tags": ["US Government Resource"], "refsource": "CERT-VN"}, {"url": "http://www.securityfocus.com/archive/1/522139", "name": "20120330 Intuit Help System Protocol File Retrieval", "tags": [], "refsource": "BUGTRAQ"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75172", "name": "quickbooks-intuit-info-disclosure(75172)", "tags": [], "refsource": "XF"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "Absolute path traversal vulnerability in the intu-help-qb (aka Intuit Help System Async Pluggable Protocol) handlers in HelpAsyncPluggableProtocol.dll in Intuit QuickBooks 2009 through 2012, when Internet Explorer is used, might allow remote attackers to read arbitrary files in ZIP archives via a full pathname in the URI."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-22"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2012-2421", "ASSIGNER": "cve@mitre.org"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 1.8, "accessVector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:H/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "HIGH", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "severity": "LOW", "impactScore": 2.9, "obtainAllPrivilege": false, "exploitabilityScore": 3.2, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}}, "publishedDate": "2012-04-25T20:55Z", "configurations": {"nodes": [{"children": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:intuit:quickbooks:2012:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:intuit:quickbooks:2009:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:intuit:quickbooks:2010:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:intuit:quickbooks:2011:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:microsoft:internet_explorer:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}]}], "operator": "AND", "cpe_match": []}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2021-07-23T15:12Z"}

1.8 /10