cpe:/a:apache:jetspeed:2.3.0 CVE-2016-0709 2016-04-11T10:59:01.677-04:00 2016-04-20T14:14:29.950-04:00 9.0 NETWORK LOW SINGLE_INSTANCE COMPLETE COMPLETE COMPLETE http://nvd.nist.gov 2016-04-12T13:46:00.047-04:00 EXPLOIT-DB 39643 MLIST [portals-jetspeed-user] 20160303 [CVE-2016-0709] Apache Jetspeed information disclosure vulnerability MISC http://haxx.ml/post/140552592371/remote-code-execution-in-apache-jetspeed-230-and MISC http://packetstormsecurity.com/files/136489/Apache-Jetspeed-Arbitrary-File-Upload.html MISC http://www.rapid7.com/db/modules/exploit/multi/http/apache_jetspeed_file_upload CONFIRM https://portals.apache.org/jetspeed-2/security-reports.html#CVE-2016-0709 Directory traversal vulnerability in the Import/Export function in the Portal Site Manager in Apache Jetspeed before 2.3.1 allows remote authenticated administrators to write to arbitrary files, and consequently execute arbitrary code, via a .. (dot dot) in a ZIP archive entry, as demonstrated by "../../webapps/x.jsp."