CVE: CVE-2009-0244

Export to Word

Directory traversal vulnerability in the OBEX FTP Service in the Microsoft Bluetooth stack in Windows Mobile 6 Professional, and probably Windows Mobile 5.0 for Pocket PC and 5.0 for Pocket PC Phone Edition, allows remote authenticated users to list arbitrary directories, and create or read arbitrary files, via a .. (dot dot) in a pathname. NOTE: this can be leveraged for code execution by writing to a Startup folder.

Threat-Mapped Scoring

Score: 1.8

Priority: P4 - Informational (Low)

S9 – Sabotage of System/App

EPSS

Score: 0.17356
Percentile: 0.94745

CVSS Scoring

CVSS v3.1 Score: 8.8

Severity: HIGH

Mapped CWE(s)

CWE-22 : Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

All CAPEC(s)

CAPEC-126: Path Traversal
CAPEC-64: Using Slashes and URL Encoding Combined to Bypass Validation Logic
CAPEC-76: Manipulating Web Input to File System Calls
CAPEC-78: Using Escaped Slashes in Alternate Encoding
CAPEC-79: Using Slashes in Alternate Encoding

CAPEC(s) with Mapped TTPs

Mapped ATT&CK TTPs

Affected Products

cpe:2.3:o:microsoft:windows_mobile:5.0:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_mobile:5.0:*:pocket_pc:*:*:*:*:*
cpe:2.3:o:microsoft:windows_mobile:5.0:*:smartphone:*:*:*:*:*
cpe:2.3:o:microsoft:windows_mobile:6.0:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_mobile:6.0:*:pro:*:*:*:*:*
cpe:2.3:o:microsoft:windows_mobile:6.0:*:standard:*:*:*:*:*

← Back to Home