OrbiTeam BSCW prior to 5.0.8 allows remote malicious users to obtain sensitive metadata via the inf operations (op=inf) to an object in pub/bscw.cgi/.
bscw bscw