CVE-2014-5445 — MEDIUM (5.0)

Q: How severe is CVE-2014-5445?

CVE-2014-5445 has been rated MEDIUM with a CVSS base score of 5.0/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2014-5445?

Check the references section above for vendor advisories and patch information. Affected products include: Zohocorp Manageengine It360, Zohocorp Manageengine Netflow Analyzer.

Vulnerability Description

Multiple absolute path traversal vulnerabilities in ZOHO ManageEngine Netflow Analyzer 8.6 through 10.2 and IT360 10.3 allow remote attackers or remote authenticated users to read arbitrary files via a full pathname in the schFilePath parameter to the (1) CSVServlet or (2) CReportPDFServlet servlet.

CVSS Score

5.0

MEDIUM

AV:N/AC:L/Au:N/C:P/I:N/A:N

Confidentiality

PARTIAL

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Zohocorp	Manageengine It360	10.3.0
Zohocorp	Manageengine Netflow Analyzer	>= 8.6, <= 10.2

Related Weaknesses (CWE)

CWE-22

References

http://packetstormsecurity.com/files/129336/ManageEngine-Netflow-Analyzer-IT360-ExploitPatchThird Party Advisory
http://seclists.org/fulldisclosure/2014/Dec/9ExploitMailing ListThird Party Advisory
http://www.securityfocus.com/archive/1/534122/100/0/threadedThird Party AdvisoryVDB Entry
http://www.securityfocus.com/archive/1/534141/100/0/threadedThird Party AdvisoryVDB Entry
http://www.securityfocus.com/bid/71404ExploitMailing ListThird Party Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/99045Third Party AdvisoryVDB Entry
https://github.com/rapid7/metasploit-framework/pull/4282ExploitThird Party Advisory
https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_netflow_it36ExploitThird Party Advisory
https://support.zoho.com/portal/manageengine/helpcenter/articles/cve-2014-5445-cVendor Advisory
http://packetstormsecurity.com/files/129336/ManageEngine-Netflow-Analyzer-IT360-ExploitPatchThird Party Advisory
http://seclists.org/fulldisclosure/2014/Dec/9ExploitMailing ListThird Party Advisory
http://www.securityfocus.com/archive/1/534122/100/0/threadedThird Party AdvisoryVDB Entry
http://www.securityfocus.com/archive/1/534141/100/0/threadedThird Party AdvisoryVDB Entry
http://www.securityfocus.com/bid/71404ExploitMailing ListThird Party Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/99045Third Party AdvisoryVDB Entry

FAQ

What is CVE-2014-5445?

CVE-2014-5445 is a vulnerability with a CVSS score of 5.0 (MEDIUM). Multiple absolute path traversal vulnerabilities in ZOHO ManageEngine Netflow Analyzer 8.6 through 10.2 and IT360 10.3 allow remote attackers or remote authenticated users to read arbitrary files via ...

How severe is CVE-2014-5445?

CVE-2014-5445 has been rated MEDIUM with a CVSS base score of 5.0/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2014-5445?

Check the references section above for vendor advisories and patch information. Affected products include: Zohocorp Manageengine It360, Zohocorp Manageengine Netflow Analyzer.