CVE-2014-5445 Information
Description
Multiple absolute path traversal vulnerabilities in ZOHO ManageEngine Netflow Analyzer 8.6 through 10.2 and IT360 10.3 allow remote attackers or remote authenticated users to read arbitrary files via a full pathname in the schFilePath parameter to the (1) CSVServlet or (2) CReportPDFServlet servlet.
Reference
http://packetstormsecurity.com/files/129336/ManageEngine-Netflow-Analyzer-IT360-File-Download.html http://seclists.org/fulldisclosure/2014/Dec/9 http://www.securityfocus.com/archive/1/534122/100/0/threaded http://www.securityfocus.com/archive/1/534141/100/0/threaded http://www.securityfocus.com/bid/71404 https://exchange.xforce.ibmcloud.com/vulnerabilities/99045 https://github.com/rapid7/metasploit-framework/pull/4282 https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_netflow_it360_file_dl.txt https://support.zoho.com/portal/manageengine/helpcenter/articles/cve-2014-5445-cve-2014-5446-fix-for-arbitrary-file-download
Share on: