Arbitrary File Deletion Vulnerability in HPE LoadRunner and Performance Center

Arbitrary File Deletion Vulnerability in HPE LoadRunner and Performance Center

CVE-2016-4360 · MEDIUM Severity

AV:N/AC:L/AU:N/C:N/I:P/A:P

web/admin/data.js in the Performance Center Virtual Table Server (VTS) component in HPE LoadRunner 11.52 through patch 3, 12.00 through patch 1, 12.01 through patch 3, 12.02 through patch 2, and 12.50 through patch 3 and Performance Center 11.52 through patch 3, 12.00 through patch 1, 12.01 through patch 3, 12.20 through patch 2, and 12.50 through patch 1 do not restrict file paths sent to an unlink call, which allows remote attackers to delete arbitrary files via the path parameter to data/import_csv, aka ZDI-CAN-3555.

Learn more about our Cis Benchmark Audit For Server Software.