Livetecs Timelive before 6.2.8 does not properly restrict access to systemsetting.aspx, which allows remote attackers to change configurations and obtain the database connection string and credentials via unspecified vectors.Referenceshttps://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-1217/http://www.securityfocus.com/archive/1/531911/100/0/threadedhttp://www.securityfocus.com/bid/67043http://seclists.org/fulldisclosure/2014/Apr/259
