Cognos Powerplay Web Edition Dynamic Directory Vulnerability

Cognos Powerplay Web Edition Dynamic Directory Vulnerability

Cognos Powerplay Web Edition is a commercial Business Performance Measurement and Reporting application.

Normally when a user attempts to access protected data cubes they are prompted for a userid/password. No attempt is made by the service to further authenticate the user.

Remote attackers can display directories dynamically, which will allow unauthenticated access to the data cubes in those directories.

When accessed in this manner, sensitive information enclosed within data cubes will be displayed.