CVE-2019-14251

moderate-risk
Published 2019-12-09

An issue was discovered in T24 in TEMENOS Channels R15.01. The login page presents JavaScript functions to access a document on the server once successfully authenticated. However, an attacker can leverage downloadDocServer() to traverse the file system and access files or directories that are outside of the restricted directory because WealthT24/GetImage is used with the docDownloadPath and uploadLocation parameters.

Do I need to act?

!
56.6% chance of exploitation in next 30 days
EPSS score — higher than 43% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10 High
NETWORK / LOW complexity

Affected Products (1)

T24

Affected Vendors

Temenos

References (2)

Exploit https://github.com/kmkz/exploit/blob/master/CVE-2019-14251-TEMENOS-T24.txt
Exploit https://github.com/kmkz/exploit/blob/master/CVE-2019-14251-TEMENOS-T24.txt
49
/ 100
moderate-risk
Severity 26/34 · High
Exploitability 18/34 · Moderate
Exposure 5/34 · Minimal