Information Disclosure in Desktop Laptop Option (DLO)

Revision History

1.0: December 23, 2020: Initial version
1.1: January 8, 2021: Added CVE ID

Summary

The Veritas Desktop and Laptop Option (DLO) 9.5 application contains a fix to a security issue. It is recommended that Veritas customers update DLO software to the latest 9.5 release.

Issue

Information Disclosure
CVE ID: CVE-2020-36159
Severity: Medium
CVSS v3.1 Base Score 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

The Desktop and Laptop Option (DLO) application prior to version 9.5 disclosed operational information on the backup processing status through a URL which did not require authentication.

Acknowledgement

Veritas would like to thank Muhammed Kılıç of Biznet Bilişim for responsibly reporting this vulnerability to us.