Skip to main content
Version: Archive

Security Advisory - DxWebEngine Directory Traversal

Applies to:

  • DxEnterprise 19.5 for Windows
  • DxOdyssey 19.5 for Windows
  • DxEnterprise 20.0 for Windows
  • DxOdyssey 20.0 for Windows

Security Advisory Description

DxWebEngine, a component of DxEnterprise and DxOdyssey products, has an information disclosure vulnerability via a directory traversal exploit on Windows.

Impact

This vulnerability allows for unauthenticated attackers and authenticated users with network access to the DxWebEngine service to remotely retrieve arbitrary file contents without authorization.

Security Advisory Status

DH2i Product Development has assigned Work Item #2952 to this vulnerability.

To determine if your product version is vulnerable, refer to the following table.

ProductVulnerable VersionsVulnerable Component
DxEnterprise for Windows*19.5.0 - 20.0.218DxWebEngine
DxOdyssey for Windows*19.5.0 - 20.0.219DxWebEngine

* v19.5.0 is vulnerable only when DxWebEngine has been started manually.

DxWebEngine is a non-critical and peripheral service that can be disabled without any impact to current functionality of DxEnterprise or DxOdyssey. If you are running a version listed in the Vulnerable versions column, you can eliminate this vulnerability by stopping and disabling the DxWebEngine component.

  1. Stop DxWebEngine
    net stop dxwebengine
  2. Disable DxWebEngine
    sc config dxwebengine start=disabled

References