• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

Vignette NEEDS Command TCL Code Injection Vulnerability

Under some circumstances Vignette applications that harness the Vignette API, specifically a 'NEEDS' command that follows a certain code path, may be prone to injection of arbitrary TCL code.

This could allow remote attackers to execute arbitrary commands with the privileges of the affected server. It has been reported that several of the default Vignette applications are prone to this issue.

This issue could also affect third-party applications that are developed for use with Vignette.

This issue was reported for Vignette StoryServer version 5 and version 6.