CVE-2015-6459
GE MDS PulseNET < 3.1.5 - Path Traversal and Arbitrary File Read/Delete via FileDownloadServlet
Title source: llmDescription
Absolute path traversal vulnerability in the download feature in FileDownloadServlet in GE Digital Energy MDS PulseNET and MDS PulseNET Enterprise before 3.1.5 allows remote attackers to read or delete arbitrary files via a full pathname.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
http://www.gedigitalenergy.com/app/resources.aspx?prod=pulsenet&type=9
Third Party Advisory x_refsource_misc
http://zerodayinitiative.com/advisories/ZDI-15-439/
Third Party Advisory, US Government Resource x_refsource_misc
https://ics-cert.us-cert.gov/advisories/ICSA-15-258-03
Scores
EPSS
0.0305
EPSS Percentile
86.0%
Details
CWE
CWE-22
Status
published
Products (1)
ge/mds_pulsenet
< 3.1.3 (2 CPE variants)
Published
Sep 18, 2015
Tracked Since
Feb 18, 2026