SEC-2020-0001

SUMMARY

The following vulnerability was found in LISTSERV Maestro 9.0-8 and prior.

A unauthenticated remote code execution vulnerability was found in the LISTSERV Maestro software, version 9.0-8 and prior. This vulnerability stems from a known issue in struts, CVE-2010-1870, that allows for code execution via OGNL Injection. This vulnerability has been confirmed to be exploitable in both the Windows and Linux version of the software and has existed in the LISTSERV Maestro software since at least version 8.1-5.

IMPACT

Access Vector: REMOTE
Access Complexity: LOW
Authentication: NOT REQUIRED TO EXPLOIT
Impact Type: CODE EXECUTION
Privilege Level: VARIES

AFFECTED PRODUCTS

LISTSERV Maestro 9.0-8 <=

SOFTWARE FIXES

Update to the most recent version of LISTSERV Maestro or apply the temporary patch provided by L-Soft. (https://dropbox.lsoft.us/download/LMA9.0-8-patch-2020-10-13.zip)

TIMELINE

10.12.2020

Reported Issue to L-Soft

10.12.2020

Vendor Confirms Submission

10.13.2020

Vendor Confirms Vulnerability

10.13.2020

Vendor Release Fix

10.15.2020

Vendor Approves Public Disclosure

REFERENCES

http://www.lsoft.com/products/maestro.asp

SUMMARY

The following vulnerability was found in LISTSERV Maestro 9.0-8 and prior.

IMPACT

AFFECTED PRODUCTS

LISTSERV Maestro 9.0-8 <=

SOFTWARE FIXES

TIMELINE

10.12.2020

10.12.2020

10.13.2020

10.13.2020

10.15.2020

REFERENCES