| Vulnerability Name: | CVE-2010-0189 (CCN-56370) |
| Assigned: | 2010-02-18 |
| Published: | 2010-02-18 |
| Updated: | 2017-09-19 |
| Summary: | A certain ActiveX control in NOS Microsystems getPlus Download Manager (aka DLM or Downloader) 1.5.2.35, as used in Adobe Download Manager, improperly validates requests involving web sites that are not in subdomains, which allows remote attackers to force the download and installation of arbitrary programs via a crafted name for a download site.
Per: http://blogs.adobe.com/psirt/2010/02/adobe_download_manager_issue.html
"Adobe is aware of the recently posted report of a remote code execution vulnerability in the Adobe Download Manager."
|
| CVSS v3 Severity: | 10.0 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)| Exploitability Metrics: | Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None | | Scope: | Scope (S): Changed
| | Impact Metrics: | Confidentiality (C): High
Integrity (I): High
Availibility (A): High |
|
| CVSS v2 Severity: | 9.3 High (CVSS v2 Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C)
6.9 Medium (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)| Exploitability Metrics: | Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None | | Impact Metrics: | Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete |
9.3 High (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C)
6.9 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)| Exploitability Metrics: | Access Vector (AV): Network
Access Complexity (AC): Medium
Athentication (Au): None
| | Impact Metrics: | Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete |
|
| Vulnerability Type: | CWE-20
|
| Vulnerability Consequences: | Gain Access |
| References: | Source: CCN
Type: Aviv Raff On .NET
Skeletons in Adobe's security closet
Source: MISC
Type: UNKNOWN
http://aviv.raffon.net/2010/02/18/SkeletonsInAdobesSecurityCloset.aspx
Source: MISC
Type: UNKNOWN
http://blogs.adobe.com/psirt/2010/02/adobe_download_manager_issue.html
Source: MISC
Type: UNKNOWN
http://blogs.zdnet.com/security/?p=5505
Source: MITRE
Type: CNA
CVE-2010-0189
Source: IDEFENSE
Type: UNKNOWN
20100223 Multiple Vendor NOS Microsystems getPlus Downloader Input Validation Vulnerability
Source: CCN
Type: SA38729
Adobe getPlus DLM Unauthorised Installation Vulnerability
Source: SECUNIA
Type: Vendor Advisory
38729
Source: CCN
Type: SECTRACK ID: 1023651
Adobe Download Manager Flaw Lets Remote Users Download and Install Arbitrary Software
Source: SECTRACK
Type: UNKNOWN
1023651
Source: CCN
Type: Adobe Product Security Bulletin APSB10-08
Security update available for Adobe Download Manager
Source: CONFIRM
Type: Patch, Vendor Advisory
http://www.adobe.com/support/security/bulletins/apsb10-08.html
Source: MISC
Type: UNKNOWN
http://www.akitasecurity.nl/advisory.php?id=AK20090401
Source: CCN
Type: NOS Microsystems Web site
getPlus
Source: OSVDB
Type: UNKNOWN
62547
Source: CCN
Type: OSVDB ID: 62547
Adobe getPlus DLM (Download Manager) on Windows getPlus Downloader Software Installation Authorization Weakness
Source: BID
Type: UNKNOWN
38313
Source: CCN
Type: BID-38313
NOS getPlus Downloader Domain Validation Arbitrary File Download Vulnerability
Source: VUPEN
Type: Vendor Advisory
ADV-2010-0459
Source: XF
Type: UNKNOWN
getplus-dlmanager-code-execution(56370)
Source: XF
Type: UNKNOWN
adobe-dlmanager-unspecified-file-download(56370)
Source: CCN
Type: iDefense Labs Public Advisory: 02.23.10
Multiple Vendor NOS Microsystems getPlus Downloader Input Validation Vulnerability
Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:7182
|
| Vulnerable Configuration: | Configuration 1:
cpe:/a:nos_microsystems:getplus_download_manager:1.5.2.35:*:*:*:*:*:*:*AND cpe:/a:adobe:download_manager:*:*:*:*:*:*:*:* (Version <= 1.6.2.60)
Configuration CCN 1:
cpe:/a:adobe:acrobat:8.0::standard:*:*:*:*:*OR cpe:/a:adobe:acrobat:8.1::standard:*:*:*:*:*OR cpe:/a:adobe:acrobat:8.1.1::standard:*:*:*:*:*OR cpe:/a:adobe:acrobat:8.1.2::standard:*:*:*:*:*OR cpe:/a:adobe:acrobat:8.0::professional:*:*:*:*:*OR cpe:/a:adobe:acrobat:8.1.1::professional:*:*:*:*:*OR cpe:/a:adobe:acrobat:8.1.2::professional:*:*:*:*:*OR cpe:/a:adobe:acrobat:9.0::professional:*:*:*:*:*OR cpe:/a:adobe:acrobat:9.0::standard:*:*:*:*:*OR cpe:/a:adobe:reader:8.1.1:*:*:*:*:*:*:*OR cpe:/a:adobe:reader:9.0:*:*:*:*:*:*:*OR cpe:/a:adobe:reader:8.1.2:*:*:*:*:*:*:*OR cpe:/a:adobe:reader:8.1.4:*:*:*:*:*:*:*OR cpe:/a:adobe:reader:9.1:*:*:*:*:*:*:*OR cpe:/a:adobe:reader:9.1.1:*:*:*:*:*:*:*OR cpe:/a:adobe:acrobat:8.1.4::standard:*:*:*:*:*OR cpe:/a:adobe:acrobat:8.1.3::standard:*:*:*:*:*OR cpe:/a:adobe:acrobat:9.1::standard:*:*:*:*:*OR cpe:/a:adobe:acrobat:8.1.2:security_update:professional:*:*:*:*:*OR cpe:/a:adobe:acrobat:8.1.3::professional:*:*:*:*:*OR cpe:/a:adobe:acrobat:8.1.4::professional:*:*:*:*:*OR cpe:/a:adobe:reader:9.1.2:*:*:*:*:*:*:*OR cpe:/a:adobe:reader:9.1.3:*:*:*:*:*:*:*OR cpe:/a:adobe:reader:8.1.6:*:*:*:*:*:*:*OR cpe:/a:adobe:reader:8.1.7:*:*:*:*:*:*:*OR cpe:/a:adobe:reader:9.2:*:*:*:*:*:*:*OR cpe:/a:adobe:reader:8.1.5:*:*:*:*:*:*:*OR cpe:/a:adobe:reader:9.3.1:*:*:*:*:*:*:*OR cpe:/a:adobe:spelling_dictionaries_support_for_adobe_reader:8.0.0:*:*:*:*:*:*:*
 Denotes that component is vulnerable |
| Oval Definitions |
| Definition ID | Class | Title | Last Modified |
|---|
| oval:org.mitre.oval:def:7182 | V | ActiveX control in NOS Microsystems getPlus Download Manager Vulnerability | 2014-06-30 |
|
| BACK |