Summary
A directory traversal vulnerability exists in Crystal Reports and Crystal Enterprise from Business Objects that could allow Information Disclosure and Denial of Service attacks on an affected system. An attacker who successfully exploited the vulnerability could retrieve and delete files through the Crystal Reports and Crystal Enterprise Web interface on an affected system.
Solution
Microsoft has released a patch to fix this issue, download it from the following website: http://www.microsoft.com/technet/security/bulletin/ms04-017.mspx
Visual Studio .NET 2003:
http://www.microsoft.com/downloads/details.aspx?FamilyId=659CA40E-808D-431D-A7D3-33BC3ACE922D&displaylang=en Outlook 2003 with Business Contact Manager:
http://www.microsoft.com/downloads/details.aspx?FamilyId=9016B9F3-BA86-4A95-9D89-E120EF2E85E3&displaylang=en Microsoft Business Solutions CRM 1.2:
http://go.microsoft.com/fwlink/?LinkId=30127
Severity
Classification
-
CVE CVE-2004-0204 -
CVSS Base Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
Related Vulnerabilities
- Buffer Overrun in Messenger Service (828035)
- Microsoft .NET Framework Remote Code Execution Vulnerability (3000414)
- Microsoft Foundation Classes Could Allow Remote Code Execution Vulnerability (2387149)
- Cumulative Security Update for Internet Explorer (958215)
- Microsoft .NET Framework Privilege Elevation Vulnerability (2958732)