CVE-2009-0244

HIGH

Microsoft Bluetooth stack - Path Traversal

Title source: llm
STIX 2.1

Description

Directory traversal vulnerability in the OBEX FTP Service in the Microsoft Bluetooth stack in Windows Mobile 6 Professional, and probably Windows Mobile 5.0 for Pocket PC and 5.0 for Pocket PC Phone Edition, allows remote authenticated users to list arbitrary directories, and create or read arbitrary files, via a .. (dot dot) in a pathname. NOTE: this can be leveraged for code execution by writing to a Startup folder.

References (6)

Core 6
Core References
Broken Link third-party-advisory x_refsource_secunia
http://secunia.com/advisories/33598
Broken Link, Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/500199/100/0/threaded
Exploit third-party-advisory x_refsource_sreason
http://securityreason.com/securityalert/4938
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/33359
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/48124

Scores

CVSS v3 8.8
EPSS 0.3025
EPSS Percentile 98.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-22
Status published
Products (2)
microsoft/windows_mobile 5.0 (3 CPE variants)
microsoft/windows_mobile 6.0 (3 CPE variants)
Published Jan 21, 2009
Tracked Since Feb 18, 2026