cbcvebase.
CVE-2019-9632
published 2019-03-08

CVE-2019-9632: ESAFENET CDG V3 and V5 has an arbitrary file download vulnerability via the fileName parameter in download.jsp because the InstallationPack parameter is…

PriorityP267high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
39.88%
98.4th percentile
ESAFENET CDG V3 and V5 has an arbitrary file download vulnerability via the fileName parameter in download.jsp because the InstallationPack parameter is mishandled in a /CDGServer3/ClientAjax request.

Affected

2 ranges
VendorProductVersion rangeFixed in
esafenetelectronic_document_security_management_system
esafenetelectronic_document_security_management_system

Detection & IOCsextracted from sources · hover to see the quote

url/CDGServer3/ClientAjax
path/CDGServer3/ClientAjax
commandcommand=downclientpak&InstallationPack=../WEB-INF/web.xml&forward=index.jsp
path../WEB-INF/web.xml
  • POST requests to /CDGServer3/ClientAjax with body parameter 'command=downclientpak' indicate exploitation of CVE-2019-9632 arbitrary file download.
  • HTTP 200 response containing the string 'CDGPermissions' in the body confirms successful arbitrary file read via the InstallationPack path traversal parameter.
  • FOFA query 'title="电子文档安全管理系统"' can be used to identify exposed ESAFENET CDG instances on the internet.
  • ·The vulnerability affects both ESAFENET CDG V3 and V5; the nuclei template targets the V3 server path (/CDGServer3/ClientAjax) — V5 endpoints may differ.
  • ·The exploit requires no authentication (PR:N, UI:N), making it trivially exploitable from the network without credentials.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.