CVE-2015-6459

GE MDS PulseNET < 3.1.5 - Path Traversal and Arbitrary File Read/Delete via FileDownloadServlet

Title source: llm
STIX 2.1

Description

Absolute path traversal vulnerability in the download feature in FileDownloadServlet in GE Digital Energy MDS PulseNET and MDS PulseNET Enterprise before 3.1.5 allows remote attackers to read or delete arbitrary files via a full pathname.

References (3)

Core 3
Core References
Third Party Advisory x_refsource_misc
http://zerodayinitiative.com/advisories/ZDI-15-439/
Third Party Advisory, US Government Resource x_refsource_misc
https://ics-cert.us-cert.gov/advisories/ICSA-15-258-03

Scores

EPSS 0.0305
EPSS Percentile 86.0%

Details

CWE
CWE-22
Status published
Products (1)
ge/mds_pulsenet < 3.1.3 (2 CPE variants)
Published Sep 18, 2015
Tracked Since Feb 18, 2026