{"api_version":"1","generated_at":"2026-05-06T20:59:20+00:00","cve":"CVE-2015-6459","urls":{"html":"https://cve.report/CVE-2015-6459","api":"https://cve.report/api/cve/CVE-2015-6459.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2015-6459","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2015-6459"},"summary":{"title":"CVE-2015-6459","description":"Absolute path traversal vulnerability in the download feature in FileDownloadServlet in GE Digital Energy MDS PulseNET and MDS PulseNET Enterprise before 3.1.5 allows remote attackers to read or delete arbitrary files via a full pathname.","state":"PUBLIC","assigner":"ics-cert@hq.dhs.gov","published_at":"2015-09-18 22:59:00","updated_at":"2015-09-23 18:53:00"},"problem_types":["CWE-22"],"metrics":[],"references":[{"url":"https://ics-cert.us-cert.gov/advisories/ICSA-15-258-03","name":"https://ics-cert.us-cert.gov/advisories/ICSA-15-258-03","refsource":"MISC","tags":["Third Party Advisory","US Government Resource"],"title":"GE MDS PulseNET Vulnerabilities | ICS-CERT","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://zerodayinitiative.com/advisories/ZDI-15-439/","name":"http://zerodayinitiative.com/advisories/ZDI-15-439/","refsource":"MISC","tags":[],"title":"Zero Day Initiative","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.gedigitalenergy.com/app/resources.aspx?prod=pulsenet&type=9","name":"http://www.gedigitalenergy.com/app/resources.aspx?prod=pulsenet&type=9","refsource":"CONFIRM","tags":["Vendor Advisory"],"title":"MDS PulseNet - Support Documents","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2015-6459","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2015-6459","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2015","cve_id":"6459","vulnerable":"1","versionEndIncluding":"3.1.3","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"ge","cpe5":"mds_pulsenet","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2015","cve_id":"6459","vulnerable":"1","versionEndIncluding":"3.1.3","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"ge","cpe5":"mds_pulsenet","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"enterprise","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"ics-cert@hq.dhs.gov","ID":"CVE-2015-6459","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Absolute path traversal vulnerability in the download feature in FileDownloadServlet in GE Digital Energy MDS PulseNET and MDS PulseNET Enterprise before 3.1.5 allows remote attackers to read or delete arbitrary files via a full pathname."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"name":"http://www.gedigitalenergy.com/app/resources.aspx?prod=pulsenet&type=9","refsource":"CONFIRM","url":"http://www.gedigitalenergy.com/app/resources.aspx?prod=pulsenet&type=9"},{"name":"http://zerodayinitiative.com/advisories/ZDI-15-439/","refsource":"MISC","url":"http://zerodayinitiative.com/advisories/ZDI-15-439/"},{"name":"https://ics-cert.us-cert.gov/advisories/ICSA-15-258-03","refsource":"MISC","url":"https://ics-cert.us-cert.gov/advisories/ICSA-15-258-03"}]}},"nvd":{"publishedDate":"2015-09-18 22:59:00","lastModifiedDate":"2015-09-23 18:53:00","problem_types":["CWE-22"],"metrics":{"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:C/I:C/A:C","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"COMPLETE","integrityImpact":"COMPLETE","availabilityImpact":"COMPLETE","baseScore":10},"severity":"HIGH","exploitabilityScore":10,"impactScore":10,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:ge:mds_pulsenet:*:*:*:*:*:*:*:*","versionEndIncluding":"3.1.3","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:ge:mds_pulsenet:*:*:*:*:enterprise:*:*:*","versionEndIncluding":"3.1.3","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2015","CveId":"6459","Ordinal":"83460","Title":"CVE-2015-6459","CVE":"CVE-2015-6459","Year":"2015"},"notes":[{"CveYear":"2015","CveId":"6459","Ordinal":"1","NoteData":"Absolute path traversal vulnerability in the download feature in FileDownloadServlet in GE Digital Energy MDS PulseNET and MDS PulseNET Enterprise before 3.1.5 allows remote attackers to read or delete arbitrary files via a full pathname.","Type":"Description","Title":null},{"CveYear":"2015","CveId":"6459","Ordinal":"2","NoteData":"2015-09-18","Type":"Other","Title":"Published"},{"CveYear":"2015","CveId":"6459","Ordinal":"3","NoteData":"2015-09-18","Type":"Other","Title":"Modified"}]}}}