Vulnerability Details CVE-2014-5446
Directory traversal vulnerability in the DisplayChartPDF servlet in ZOHO ManageEngine Netflow Analyzer 8.6 through 10.2 and IT360 10.3 allows remote attackers and remote authenticated users to read arbitrary files via a .. (dot dot) in the filename parameter.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.657
EPSS Ranking 98.4%
CVSS Severity
CVSS v2 Score 5.0
References
- http://packetstormsecurity.com/files/129336/ManageEngine-Netflow-Analyzer-IT360-File-Download.html
- http://seclists.org/fulldisclosure/2014/Dec/9
- http://www.securityfocus.com/archive/1/534122/100/0/threaded
- http://www.securityfocus.com/archive/1/534141/100/0/threaded
- http://www.securityfocus.com/bid/71404
- https://exchange.xforce.ibmcloud.com/vulnerabilities/99046
- https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_netflow_it360_file_dl.txt
- https://support.zoho.com/portal/manageengine/helpcenter/articles/cve-2014-5445-cve-2014-5446-fix-for-arbitrary-file-download
- http://packetstormsecurity.com/files/129336/ManageEngine-Netflow-Analyzer-IT360-File-Download.html
- http://seclists.org/fulldisclosure/2014/Dec/9
- http://www.securityfocus.com/archive/1/534122/100/0/threaded
- http://www.securityfocus.com/archive/1/534141/100/0/threaded
- http://www.securityfocus.com/bid/71404
- https://exchange.xforce.ibmcloud.com/vulnerabilities/99046
- https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_netflow_it360_file_dl.txt
- https://support.zoho.com/portal/manageengine/helpcenter/articles/cve-2014-5445-cve-2014-5446-fix-for-arbitrary-file-download
Products affected by CVE-2014-5446
-
cpe:2.3:a:zohocorp:manageengine_it360:10.3.0
-
cpe:2.3:a:zohocorp:manageengine_netflow_analyzer:10.0
-
cpe:2.3:a:zohocorp:manageengine_netflow_analyzer:10.2
-
cpe:2.3:a:zohocorp:manageengine_netflow_analyzer:8.6
-
cpe:2.3:a:zohocorp:manageengine_netflow_analyzer:9.0
-
cpe:2.3:a:zohocorp:manageengine_netflow_analyzer:9.1
-
cpe:2.3:a:zohocorp:manageengine_netflow_analyzer:9.5
-
cpe:2.3:a:zohocorp:manageengine_netflow_analyzer:9.6
-
cpe:2.3:a:zohocorp:manageengine_netflow_analyzer:9.7
-
cpe:2.3:a:zohocorp:manageengine_netflow_analyzer:9.8
-
cpe:2.3:a:zohocorp:manageengine_netflow_analyzer:9.8.5
-
cpe:2.3:a:zohocorp:manageengine_netflow_analyzer:9.8.6
-
cpe:2.3:a:zohocorp:manageengine_netflow_analyzer:9.8.7
-
cpe:2.3:a:zohocorp:manageengine_netflow_analyzer:9.9