Directory traversal vulnerability in the multipartRequest servlet in ZOHO ManageEngine OpManager 11.3 and earlier, Social IT Plus 11.0, and IT360 10.3, 10.4, and earlier allows remote attackers or remote authenticated users to delete arbitrary files via a .. (dot dot) in the fileName parameter.
References
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
History
21 Nov 2024, 02:13
Type | Values Removed | Values Added |
---|---|---|
References | () http://seclists.org/fulldisclosure/2014/Sep/110 - Exploit | |
References | () https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_opmanager_socialit_it360.txt - Exploit | |
References | () https://support.zoho.com/portal/manageengine/helpcenter/articles/servlet-vulnerability-fix - Patch |
Information
Published : 2014-12-04 17:59
Updated : 2024-11-21 02:13
NVD link : CVE-2014-6036
Mitre link : CVE-2014-6036
CVE.ORG link : CVE-2014-6036
JSON object : View
Products Affected
zohocorp
- manageengine_social_it_plus
- manageengine_it360
- manageengine_opmanager
CWE
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')