cvedb.io
CVE-2016-4360
CRITICAL · CVSS 9.1
EPSS exploitation probability: 0%
Published 2016-06-08T14:59:42.313 · Last modified 2026-06-17T00:47:24.897

Summary

web/admin/data.js in the Performance Center Virtual Table Server (VTS) component in HPE LoadRunner 11.52 through patch 3, 12.00 through patch 1, 12.01 through patch 3, 12.02 through patch 2, and 12.50 through patch 3 and Performance Center 11.52 through patch 3, 12.00 through patch 1, 12.01 through patch 3, 12.20 through patch 2, and 12.50 through patch 1 do not restrict file paths sent to an unlink call, which allows remote attackers to delete arbitrary files via the path parameter to data/import_csv, aka ZDI-CAN-3555.

Affected products

hp — loadrunner

Does this affect you?

Add your gear to cvedb and we'll alert you only when hp ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.