{"api_version":"1","generated_at":"2026-04-23T20:59:16+00:00","cve":"CVE-2008-0457","urls":{"html":"https://cve.report/CVE-2008-0457","api":"https://cve.report/api/cve/CVE-2008-0457.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2008-0457","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2008-0457"},"summary":{"title":"CVE-2008-0457","description":"Unrestricted file upload vulnerability in the FileUpload class running on the Symantec LiveState Apache Tomcat server, as used by Symantec Backup Exec System Recovery Manager 7.0 and 7.0.1, allows remote attackers to upload and execute arbitrary JSP files via unknown vectors.","state":"PUBLISHED","assigner":"mitre","published_at":"2008-02-07 21:00:00","updated_at":"2026-04-23 00:35:47"},"problem_types":["CWE-20","n/a"],"metrics":[{"version":"2.0","source":"nvd@nist.gov","type":"Primary","score":"10","severity":"","vector":"AV:N/AC:L/Au:N/C:C/I:C/A:C","data":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:C/I:C/A:C","baseScore":10,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"COMPLETE","integrityImpact":"COMPLETE","availabilityImpact":"COMPLETE"}}],"references":[{"url":"http://seer.entsupport.symantec.com/docs/297171.htm","name":"http://seer.entsupport.symantec.com/docs/297171.htm","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"],"title":"Invalid URL","mime":"text/html","httpstatus":"400","archivestatus":"200"},{"url":"http://www.securityfocus.com/archive/1/487688/100/0/threaded","name":"http://www.securityfocus.com/archive/1/487688/100/0/threaded","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"SecurityFocus","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securityfocus.com/bid/27487","name":"http://www.securityfocus.com/bid/27487","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Exploit"],"title":"Symantec Backup Exec System Recovery Manager FileUpload Class Unauthorized File Upload Vulnerability","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://www.exploit-db.com/exploits/5078","name":"https://www.exploit-db.com/exploits/5078","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"Backup Exec System Recovery Manager <= 7.0.1 File Upload Exploit","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://secunia.com/advisories/28787","name":"http://secunia.com/advisories/28787","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Vendor Advisory"],"title":"Symantec Backup Exec System Recovery Manager File Upload Vulnerability - Secunia Advisories - Vulnerability Intelligence - Secunia.com","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.zerodayinitiative.com/advisories/ZDI-08-003.html","name":"http://www.zerodayinitiative.com/advisories/ZDI-08-003.html","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"Zero Day Initiative","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.vupen.com/english/advisories/2008/0413","name":"http://www.vupen.com/english/advisories/2008/0413","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Vendor Advisory"],"title":"Webmail : Solution de messagerie professionnelle - OVHcloud- OVH","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securitytracker.com/id?1019303","name":"http://www.securitytracker.com/id?1019303","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"SecurityTracker.com Archives - Symantec BackupExec System Recovery Manager Lets Remote Users Upload Arbitrary Files and Execute Arbitrary Code","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.symantec.com/avcenter/security/Content/2008.02.04.html","name":"http://www.symantec.com/avcenter/security/Content/2008.02.04.html","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"],"title":"Symantec Security Advisory","mime":"text/html","httpstatus":"404","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2008-0457","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2008-0457","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"n/a","product":"n/a","version":"affected n/a","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2008","cve_id":"457","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"symantec","cpe5":"backupexec_system_recovery","cpe6":"7.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2008","cve_id":"457","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"symantec","cpe5":"backupexec_system_recovery","cpe6":"7.01","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"providerMetadata":{"dateUpdated":"2024-08-07T07:46:54.620Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"name":"5078","tags":["exploit","x_refsource_EXPLOIT-DB","x_transferred"],"url":"https://www.exploit-db.com/exploits/5078"},{"name":"28787","tags":["third-party-advisory","x_refsource_SECUNIA","x_transferred"],"url":"http://secunia.com/advisories/28787"},{"name":"20080206 ZDI-08-003: Symantec Backup Exec Remote File Upload Vulnerability","tags":["mailing-list","x_refsource_BUGTRAQ","x_transferred"],"url":"http://www.securityfocus.com/archive/1/487688/100/0/threaded"},{"name":"ADV-2008-0413","tags":["vdb-entry","x_refsource_VUPEN","x_transferred"],"url":"http://www.vupen.com/english/advisories/2008/0413"},{"name":"27487","tags":["vdb-entry","x_refsource_BID","x_transferred"],"url":"http://www.securityfocus.com/bid/27487"},{"name":"1019303","tags":["vdb-entry","x_refsource_SECTRACK","x_transferred"],"url":"http://www.securitytracker.com/id?1019303"},{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"http://seer.entsupport.symantec.com/docs/297171.htm"},{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"http://www.symantec.com/avcenter/security/Content/2008.02.04.html"},{"tags":["x_refsource_MISC","x_transferred"],"url":"http://www.zerodayinitiative.com/advisories/ZDI-08-003.html"}],"title":"CVE Program Container"}],"cna":{"affected":[{"product":"n/a","vendor":"n/a","versions":[{"status":"affected","version":"n/a"}]}],"datePublic":"2008-02-04T00:00:00.000Z","descriptions":[{"lang":"en","value":"Unrestricted file upload vulnerability in the FileUpload class running on the Symantec LiveState Apache Tomcat server, as used by Symantec Backup Exec System Recovery Manager 7.0 and 7.0.1, allows remote attackers to upload and execute arbitrary JSP files via unknown vectors."}],"problemTypes":[{"descriptions":[{"description":"n/a","lang":"en","type":"text"}]}],"providerMetadata":{"dateUpdated":"2018-10-15T20:57:01.000Z","orgId":"8254265b-2729-46b6-b9e3-3dfca2d5bfca","shortName":"mitre"},"references":[{"name":"5078","tags":["exploit","x_refsource_EXPLOIT-DB"],"url":"https://www.exploit-db.com/exploits/5078"},{"name":"28787","tags":["third-party-advisory","x_refsource_SECUNIA"],"url":"http://secunia.com/advisories/28787"},{"name":"20080206 ZDI-08-003: Symantec Backup Exec Remote File Upload Vulnerability","tags":["mailing-list","x_refsource_BUGTRAQ"],"url":"http://www.securityfocus.com/archive/1/487688/100/0/threaded"},{"name":"ADV-2008-0413","tags":["vdb-entry","x_refsource_VUPEN"],"url":"http://www.vupen.com/english/advisories/2008/0413"},{"name":"27487","tags":["vdb-entry","x_refsource_BID"],"url":"http://www.securityfocus.com/bid/27487"},{"name":"1019303","tags":["vdb-entry","x_refsource_SECTRACK"],"url":"http://www.securitytracker.com/id?1019303"},{"tags":["x_refsource_CONFIRM"],"url":"http://seer.entsupport.symantec.com/docs/297171.htm"},{"tags":["x_refsource_CONFIRM"],"url":"http://www.symantec.com/avcenter/security/Content/2008.02.04.html"},{"tags":["x_refsource_MISC"],"url":"http://www.zerodayinitiative.com/advisories/ZDI-08-003.html"}],"x_legacyV4Record":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2008-0457","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Unrestricted file upload vulnerability in the FileUpload class running on the Symantec LiveState Apache Tomcat server, as used by Symantec Backup Exec System Recovery Manager 7.0 and 7.0.1, allows remote attackers to upload and execute arbitrary JSP files via unknown vectors."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"name":"5078","refsource":"EXPLOIT-DB","url":"https://www.exploit-db.com/exploits/5078"},{"name":"28787","refsource":"SECUNIA","url":"http://secunia.com/advisories/28787"},{"name":"20080206 ZDI-08-003: Symantec Backup Exec Remote File Upload Vulnerability","refsource":"BUGTRAQ","url":"http://www.securityfocus.com/archive/1/487688/100/0/threaded"},{"name":"ADV-2008-0413","refsource":"VUPEN","url":"http://www.vupen.com/english/advisories/2008/0413"},{"name":"27487","refsource":"BID","url":"http://www.securityfocus.com/bid/27487"},{"name":"1019303","refsource":"SECTRACK","url":"http://www.securitytracker.com/id?1019303"},{"name":"http://seer.entsupport.symantec.com/docs/297171.htm","refsource":"CONFIRM","url":"http://seer.entsupport.symantec.com/docs/297171.htm"},{"name":"http://www.symantec.com/avcenter/security/Content/2008.02.04.html","refsource":"CONFIRM","url":"http://www.symantec.com/avcenter/security/Content/2008.02.04.html"},{"name":"http://www.zerodayinitiative.com/advisories/ZDI-08-003.html","refsource":"MISC","url":"http://www.zerodayinitiative.com/advisories/ZDI-08-003.html"}]}}}},"cveMetadata":{"assignerOrgId":"8254265b-2729-46b6-b9e3-3dfca2d5bfca","assignerShortName":"mitre","cveId":"CVE-2008-0457","datePublished":"2008-02-07T20:00:00.000Z","dateReserved":"2008-01-24T00:00:00.000Z","dateUpdated":"2024-08-07T07:46:54.620Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.1"},"nvd":{"publishedDate":"2008-02-07 21:00:00","lastModifiedDate":"2026-04-23 00:35:47","problem_types":["CWE-20","n/a"],"metrics":{"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:C/I:C/A:C","baseScore":10,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"COMPLETE","integrityImpact":"COMPLETE","availabilityImpact":"COMPLETE"},"baseSeverity":"HIGH","exploitabilityScore":10,"impactScore":10,"acInsufInfo":false,"obtainAllPrivilege":true,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:symantec:backupexec_system_recovery:7.0:*:*:*:*:*:*:*","matchCriteriaId":"17E843F0-6A21-4778-864C-CAADB1AC1457"},{"vulnerable":true,"criteria":"cpe:2.3:a:symantec:backupexec_system_recovery:7.01:*:*:*:*:*:*:*","matchCriteriaId":"609721EB-AAAC-4716-BD42-AB69180BC44D"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2008","CveId":"457","Ordinal":"1","Title":"CVE-2008-0457","CVE":"CVE-2008-0457","Year":"2008"},"notes":[{"CveYear":"2008","CveId":"457","Ordinal":"1","NoteData":"Unrestricted file upload vulnerability in the FileUpload class running on the Symantec LiveState Apache Tomcat server, as used by Symantec Backup Exec System Recovery Manager 7.0 and 7.0.1, allows remote attackers to upload and execute arbitrary JSP files via unknown vectors.","Type":"Description","Title":"CVE-2008-0457"},{"CveYear":"2008","CveId":"457","Ordinal":"2","NoteData":"2008-02-07","Type":"Other","Title":"Published"},{"CveYear":"2008","CveId":"457","Ordinal":"3","NoteData":"2018-10-15","Type":"Other","Title":"Modified"}]}}}