Vulnerability Description
Directory traversal vulnerability in the multipartRequest servlet in ZOHO ManageEngine OpManager 11.3 and earlier, Social IT Plus 11.0, and IT360 10.3, 10.4, and earlier allows remote attackers or remote authenticated users to delete arbitrary files via a .. (dot dot) in the fileName parameter.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Zohocorp | Manageengine Opmanager | <= 11.3 |
| Zohocorp | Manageengine It360 | <= 10.4 |
| Zohocorp | Manageengine Social It Plus | 11.0 |
Related Weaknesses (CWE)
References
- http://seclists.org/fulldisclosure/2014/Sep/110Exploit
- https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_opmanager_soExploit
- https://support.zoho.com/portal/manageengine/helpcenter/articles/servlet-vulneraPatch
- http://seclists.org/fulldisclosure/2014/Sep/110Exploit
- https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_opmanager_soExploit
- https://support.zoho.com/portal/manageengine/helpcenter/articles/servlet-vulneraPatch
FAQ
What is CVE-2014-6036?
CVE-2014-6036 is a vulnerability with a CVSS score of 6.4 (MEDIUM). Directory traversal vulnerability in the multipartRequest servlet in ZOHO ManageEngine OpManager 11.3 and earlier, Social IT Plus 11.0, and IT360 10.3, 10.4, and earlier allows remote attackers or rem...
How severe is CVE-2014-6036?
CVE-2014-6036 has been rated MEDIUM with a CVSS base score of 6.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2014-6036?
Check the references section above for vendor advisories and patch information. Affected products include: Zohocorp Manageengine Opmanager, Zohocorp Manageengine It360, Zohocorp Manageengine Social It Plus.