CVE-2007-6197
published 2007-12-01CVE-2007-6197: The Plumtree portal in BEA AquaLogic Interaction 5.0.2 through 5.0.4 and 6.0.1.218452 allows remote attackers to obtain version numbers and internal hostnames…
PriorityP417medium5CVSS 2.0
AVNACLAuNCPINAN
EPSS
1.58%
72.5th percentile
The Plumtree portal in BEA AquaLogic Interaction 5.0.2 through 5.0.4 and 6.0.1.218452 allows remote attackers to obtain version numbers and internal hostnames by reading comments in the HTML source of any page.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| bea | aqualogic_interaction | — | — |
| bea | aqualogic_interaction | — | — |
| bea | aqualogic_interaction | — | — |
| bea | aqualogic_interaction | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
CWE
Inclusion of Sensitive Information in Source Code
mitre_cwe·CVSS 7.5
[HIGH] CWE-540 Inclusion of Sensitive Information in Source Code
CWE-540: Inclusion of Sensitive Information in Source Code
Source code on a web server or repository often contains sensitive information and should generally not be accessible to users.
There are situations where it is critical to remove source code from an area or server. For example, obtaining Perl source code on a system allows an attacker to understand the logic of the script and extract extremely useful information such as code bugs or logins and passwords.
Modes of Introduction:
Phase: Implementation
Common Consequences:
Scope: Confidentiality. Impact: Read Application Data.
Detection Methods:
Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code
CWE
Inclusion of Sensitive Information in Source Code Comments
mitre_cwe·CVSS 5.0
[MEDIUM] CWE-615 Inclusion of Sensitive Information in Source Code Comments
CWE-615: Inclusion of Sensitive Information in Source Code Comments
While adding general comments is very useful, some programmers tend to leave important data, such as: filenames related to the web application, old links or links which were not meant to be browsed by users, old code fragments, etc.
An attacker who finds these comments can map the application's structure and files, expose hidden parts of the site, and study the fragments of code to reverse engineer the application, which may help develop further attacks against the site.
Modes of Introduction:
Phase: Implementation
Common Consequences:
Scope: Confidentiality. Impact: Read Application Data.
Detection Methods:
Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testi
http://procheckup.com/Vulnerability_PR06-08.phphttp://procheckup.com/Vulnerability_PR06-09.phphttp://secunia.com/advisories/27840http://www.securityfocus.com/archive/1/484467/100/0/threadedhttp://www.securitytracker.com/id?1019005http://www.vupen.com/english/advisories/2007/4040http://procheckup.com/Vulnerability_PR06-08.phphttp://procheckup.com/Vulnerability_PR06-09.phphttp://secunia.com/advisories/27840http://www.securityfocus.com/archive/1/484467/100/0/threadedhttp://www.securitytracker.com/id?1019005http://www.vupen.com/english/advisories/2007/4040
2007-12-01
Published