CVE-2014-5446

Description

Directory traversal vulnerability in the DisplayChartPDF servlet in ZOHO ManageEngine Netflow Analyzer 8.6 through 10.2 and IT360 10.3 allows remote attackers and remote authenticated users to read arbitrary files via a .. (dot dot) in the filename parameter.

Related CPE's

azohocorpmanageengine_it36010.3.0*******

azohocorpmanageengine_netflow_analyzer9.8.6*******

azohocorpmanageengine_netflow_analyzer9.1*******

azohocorpmanageengine_netflow_analyzer9.8.5*******

azohocorpmanageengine_netflow_analyzer10.0beta******

azohocorpmanageengine_netflow_analyzer9.9*******

azohocorpmanageengine_netflow_analyzer9.8*******

azohocorpmanageengine_netflow_analyzer8.6*******

azohocorpmanageengine_netflow_analyzer9.8.7*******

azohocorpmanageengine_netflow_analyzer9.7*******

References

https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_netflow_it360_file_dl.txt

Exploit

71404

Exploit

https://support.zoho.com/portal/manageengine/helpcenter/articles/cve-2014-5445-cve-2014-5446-fix-for-arbitrary-file-download

ExploitPatch

http://packetstormsecurity.com/files/129336/ManageEngine-Netflow-Analyzer-IT360-File-Download.html

Exploit

20141203 [The ManageOwnage Series, part IX]: 0-day arbitrary file download in NetFlow Analyzer and IT360

Exploit

netflow-cve20145446-dir-traversal(99046)

20141203 Re: [The ManageOwnage Series, part IX]: 0-day arbitrary file download in NetFlow Analyzer and IT360

20141130 [The ManageOwnage Series, part IX]: 0-day arbitrary file download in NetFlow Analyzer and IT360

CvssV3 impact

Could not find any metrics

CvssV2 impact

Version

2.0

VectorString

AV:N/AC:L/Au:N/C:P/I:N/A:N

AccessVector

NETWORK

AccessComplexity

LOW

Authentication

NONE

ConfidentialityImpact

PARTIAL

IntegrityImpact

NONE

AvailabilityImpact

NONE

BaseScore

5

Created by Yello
About Severity.io