Vulnerability Description
Directory traversal vulnerability in the com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector servlet in ZOHO ManageEngine OpManager 8.8 through 11.3, Social IT Plus 11.0, and IT360 10.4 and earlier allows remote attackers or remote authenticated users to write to and execute arbitrary WAR files via a .. (dot dot) in the regionID parameter.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Zohocorp | Manageengine Social It Plus | 11.0 |
| Zohocorp | Manageengine It360 | <= 10.4 |
| Zohocorp | Manageengine Opmanager | 8.8 |
Related Weaknesses (CWE)
References
- http://seclists.org/fulldisclosure/2014/Sep/110Exploit
- https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_opmanager_soExploit
- https://support.zoho.com/portal/manageengine/helpcenter/articles/servlet-vulneraPatch
- http://seclists.org/fulldisclosure/2014/Sep/110Exploit
- https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_opmanager_soExploit
- https://support.zoho.com/portal/manageengine/helpcenter/articles/servlet-vulneraPatch
FAQ
What is CVE-2014-6034?
CVE-2014-6034 is a vulnerability with a CVSS score of 5.0 (MEDIUM). Directory traversal vulnerability in the com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector servlet in ZOHO ManageEngine OpManager 8.8 through 11.3, Social IT Plus 11.0, and IT360 10.4...
How severe is CVE-2014-6034?
CVE-2014-6034 has been rated MEDIUM with a CVSS base score of 5.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2014-6034?
Check the references section above for vendor advisories and patch information. Affected products include: Zohocorp Manageengine Social It Plus, Zohocorp Manageengine It360, Zohocorp Manageengine Opmanager.