Security Advisory - DxWebEngine Directory Traversal
Applies to:
- DxEnterprise 19.5 for Windows
- DxOdyssey 19.5 for Windows
- DxEnterprise 20.0 for Windows
- DxOdyssey 20.0 for Windows
Security Advisory Description
DxWebEngine, a component of DxEnterprise and DxOdyssey products, has an information disclosure vulnerability via a directory traversal exploit on Windows.
Impact
This vulnerability allows for unauthenticated attackers and authenticated users with network access to the DxWebEngine service to remotely retrieve arbitrary file contents without authorization.
Security Advisory Status
DH2i Product Development has assigned Work Item #2952 to this vulnerability.
To determine if your product version is vulnerable, refer to the following table.
Product | Vulnerable Versions | Vulnerable Component |
---|---|---|
DxEnterprise for Windows | *19.5.0 - 20.0.218 | DxWebEngine |
DxOdyssey for Windows | *19.5.0 - 20.0.219 | DxWebEngine |
* v19.5.0 is vulnerable only when DxWebEngine has been started manually.
Security Advisory Recommended Actions and Mitigations
DxWebEngine is a non-critical and peripheral service that can be disabled without any impact to current functionality of DxEnterprise or DxOdyssey. If you are running a version listed in the Vulnerable versions column, you can eliminate this vulnerability by stopping and disabling the DxWebEngine component.
- Stop DxWebEngine
net stop dxwebengine
- Disable DxWebEngine
sc config dxwebengine start=disabled