CVE-2004-1893

Dreamweaver MX, when "Using Driver On Testing Server" or "Using DSN on Testing Server" is selected, uploads the mmhttpdb.asp script to the web site but does not require authentication, which allows remote attackers to obtain sensitive information and possibly execute arbitrary SQL commands via a direct request to mmhttpdb.asp.

CVSS v2.0 5.0 MEDIUM

5.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
http://marc.info/?l=bugtraq&m=108102481929451&w=2
http://secunia.com/advisories/11284	Patch
http://www.macromedia.com/devnet/security/security_zone/mpsb04-05.html	Vendor Advisory
http://www.nextgenss.com/advisories/dreamweaver.txt
http://www.securityfocus.com/bid/10036
https://exchange.xforce.ibmcloud.com/vulnerabilities/15721

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:macromedia:dreamweaver:6.0:::::::*
	cpe:2.3:a:macromedia:dreamweaver:6.1:::::::*
	cpe:2.3:a:macromedia:dreamweaver:2004:::::::*
	cpe:2.3:a:macromedia:dreamweaver_ultradev:4.0:::::::*

History

No history.

Information

Published : 2004-12-31 05:00

Updated : 2023-12-10 10:17

NVD link : CVE-2004-1893

Mitre link : CVE-2004-1893

CVE.ORG link : CVE-2004-1893

JSON object : View

Products Affected

macromedia

dreamweaver
dreamweaver_ultradev

CWE

NVD-CWE-Other

{"id": "CVE-2004-1893", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2004-12-31T05:00:00.000", "references": [{"url": "http://marc.info/?l=bugtraq&m=108102481929451&w=2", "source": "cve@mitre.org"}, {"url": "http://secunia.com/advisories/11284", "tags": ["Patch"], "source": "cve@mitre.org"}, {"url": "http://www.macromedia.com/devnet/security/security_zone/mpsb04-05.html", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "http://www.nextgenss.com/advisories/dreamweaver.txt", "source": "cve@mitre.org"}, {"url": "http://www.securityfocus.com/bid/10036", "source": "cve@mitre.org"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/15721", "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "descriptions": [{"lang": "en", "value": "Dreamweaver MX, when \"Using Driver On Testing Server\" or \"Using DSN on Testing Server\" is selected, uploads the mmhttpdb.asp script to the web site but does not require authentication, which allows remote attackers to obtain sensitive information and possibly execute arbitrary SQL commands via a direct request to mmhttpdb.asp."}], "lastModified": "2017-07-11T01:31:26.543", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:macromedia:dreamweaver:6.0:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "9E8C9E95-ACFC-49CD-BD6E-5D5D269F257F"}, {"criteria": "cpe:2.3:a:macromedia:dreamweaver:6.1:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "29664269-770C-4E39-95B8-E754A5E7C17E"}, {"criteria": "cpe:2.3:a:macromedia:dreamweaver:2004:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "F7E6E1EA-1A14-4B64-9E8C-BCC629F98346"}, {"criteria": "cpe:2.3:a:macromedia:dreamweaver_ultradev:4.0:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "D966A980-57F2-4FBB-A86C-EB93C8AE4A85"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}