Multiple Vulnerabilities in Eventum
|Vendor:||Eventum Development Team|
|Vulnerable Versions:||2.3.4 and probably prior|
|Advisory Publication:||January 22, 2014 [without technical details]|
|Vendor Notification:||January 22, 2014|
|Vendor Fix:||January 24, 2014|
|Public Disclosure:||January 27, 2014|
|Latest Update:||January 27, 2014|
|Vulnerability Type:||Incorrect Default Permissions [CWE-276]|
Code Injection [CWE-94]
|CVSSv2 Base Scores:||6.4 (AV:N/AC:L/Au:N/C:N/I:P/A:P)|
|Solution Status:||Fixed by Vendor|
|Discovered and Provided:||High-Tech Bridge Security Research Lab|
High-Tech Bridge Security Research Lab discovered vulnerability in Eventum, which can be exploited to reinstall and compromise vulnerable application.
|Update to Eventum 2.3.5|
Vendor disclosed vulnerabilities and authorized us to release advisory on public before our usual delay (3 weeks).
| High-Tech Bridge Advisory HTB23198 - https://www.htbridge.com/advisory/HTB23198 - Multiple Vulnerabilities in Eventum.|
 Eventum - https://launchpad.net/eventum - Eventum is a user-friendly and flexible issue tracking system that can be used by a support department to track incoming technical support requests, or by a software development team to quickly organize tasks and bugs.
 Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
 Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
 ImmuniWeb® - a PCI compliant web application penetration test combined with managed vulnerability scan. Configure, schedule, and manage online 24/7.
Please feel free to send us any additional information related to this Advisory, such as vulnerable versions, additional exploitation details and conditions, patches and other relevant details.