Description
WBPublish (aka WBPublish.exe) in Fujitsu-Siemens WebTransactions 7.0, 7.1, and possibly other versions allows remote attackers to execute arbitrary commands via shell metacharacters in input that is sent through HTTP and improperly used during temporary session data cleanup, possibly related to (1) directory names, (2) template names, and (3) session IDs.
References (9)
Core 9
Core References
Various Sources x_refsource_misc
http://www.sec-consult.com/files/20081219-0_fujitsu-siemens_webta_cmdexec.txt
Patch x_refsource_confirm
http://bs2www.fujitsu-siemens.de/update/securitypatch.htm#english
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/47495
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id?1021475
Third Party Advisory third-party-advisory
x_refsource_sreason
http://securityreason.com/securityalert/4856
Third Party Advisory vdb-entry
x_refsource_vupen
http://www.vupen.com/english/advisories/2008/3462
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/32927
Third Party Advisory, VDB Entry mailing-list
x_refsource_bugtraq
http://www.securityfocus.com/archive/1/499417/100/0/threaded
Patch, Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/33168
Scores
EPSS
0.0376
EPSS Percentile
88.6%
Details
CWE
CWE-20
Status
published
Products (2)
fujitsu-siemens/webtransactions
7.0
fujitsu-siemens/webtransactions
7.1
Published
Jan 02, 2009
Tracked Since
Feb 18, 2026