Intuit QuickBooks 'HelpAsyncPluggableProtocol.dll' File Disclosure Vulnerability

Bugtraq ID:	52854
Class:	Unknown
CVE:	CVE-2012-2420
Remote:	Yes
Local:	No
Published:	Apr 02 2012 12:00AM
Updated:	Mar 13 2013 05:25PM
Credit:	Derek Soeder
Vulnerable:	Intuit QuickBooks 2012 Intuit QuickBooks 2009
Not Vulnerable:

Intuit QuickBooks 'HelpAsyncPluggableProtocol.dll' File Disclosure Vulnerability

QuickBooks is an accounting application available for Microsoft Windows.

An attacker can exploit this vulnerability to retrieve arbitrary files from the vulnerable system in the context of the applications. Information obtained may aid in further attacks.

QuickBooks 2009 through 2012 are vulnerable.

Intuit QuickBooks 'HelpAsyncPluggableProtocol.dll' File Disclosure Vulnerability

Local attackers can use standard tools to exploit this issue.

Intuit QuickBooks 'HelpAsyncPluggableProtocol.dll' File Disclosure Vulnerability

Solution:
Currently, we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].

Intuit QuickBooks 'HelpAsyncPluggableProtocol.dll' File Disclosure Vulnerability

References:

• QuickBooks Vendor Page (Intuit)
  
• Intuit Help System Protocol File Retrieval (ds.adv.pub)