CVE-2017-14123 — HIGH (8.8)

Vulnerability Description

Zoho ManageEngine Firewall Analyzer 12200 has an unrestricted File Upload vulnerability in the "Group Chat" section. Any user can upload files with any extensions. By uploading a PHP file to the server, an attacker can cause it to execute in the server context, as demonstrated by /itplus/FileStorage/302/shell.jsp.

CVSS Score

8.8

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Zohocorp	Manageengine Firewall Analyzer	12.2

Related Weaknesses (CWE)

CWE-434

References

https://blogs.securiteam.com/index.php/archives/3228ExploitPatchThird Party Advisory
https://pitstop.manageengine.com/portal/kb/articles/latest-consolidated-patchPatchVendor Advisory
https://blogs.securiteam.com/index.php/archives/3228ExploitPatchThird Party Advisory
https://pitstop.manageengine.com/portal/kb/articles/latest-consolidated-patchPatchVendor Advisory

FAQ

What is CVE-2017-14123?

CVE-2017-14123 is a vulnerability with a CVSS score of 8.8 (HIGH). Zoho ManageEngine Firewall Analyzer 12200 has an unrestricted File Upload vulnerability in the "Group Chat" section. Any user can upload files with any extensions. By uploading a PHP file to the serve...

How severe is CVE-2017-14123?

CVE-2017-14123 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2017-14123?

Check the references section above for vendor advisories and patch information. Affected products include: Zohocorp Manageengine Firewall Analyzer.