Palm webOS Flaws Let Remote Users Write to the File System or Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1025514 |
|
SecurityTracker URL: http://securitytracker.com/id/1025514
|
|
CVE Reference:
CVE-2011-1737, CVE-2011-1738
(Links to External Site)
|
Date: May 10 2011
|
Impact:
Execution of arbitrary code via network, Modification of system information, Modification of user information, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 1.4.5, 1.4.5.1
|
Description:
Two vulnerabilities were reported in Palm webOS. A remote user can execute arbitrary code on the target device. A remote user can write or modify files on the target device.
A remote user can exploit a flaw in the Email application to inject HTML and potentially execute arbitrary code [CVE-2011-1737].
David Belcher, BlackBerry Security Research Group, reported this vulnerability.
A remote user can exploit a flaw in applications that use the Plug-in Development Kit (PDK) to gain write access to the file system write access [CVE-2011-1738]. This may allow for information disclosure and remote code execution.
|
Impact:
A remote user can execute arbitrary code.
A remote user can write or modify files on the target device.
|
Solution:
The vendor has issued a fix (2.1).
The vendor's advisory is available at:
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02822174
|
Vendor URL: h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02822174 (Links to External Site)
|
Cause:
Access control error
|
Underlying OS:
|
|
Message History:
None.
|
Source Message Contents
|
Date: Tue, 10 May 2011 19:46:46 +0000
Subject: HPSBMI02632 SSRT100379 rev.1 - HP/Palm webOS, Execution of Arbitrary Code, Denial of Service (DoS), Unauthorized File System Write Access
|
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02822174
CVE-2011-1737 (Email), CVE-2011-1738 (PDK applications)
|
|
