Vulnerability Description
Incorrect Access Control in FailOverHelperServlet in Zoho ManageEngine Netflow Analyzer before build 123137, Network Configuration Manager before build 123128, OpManager before build 123148, OpUtils before build 123161, and Firewall Analyzer before build 123147 allows attackers to read certain files on the web server without login by sending a specially crafted request to the server with the operation=copyfile&fileName= substring.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Zohocorp | Firewall Analyzer | - |
| Zohocorp | Manageengine Netflow Analyzer | - |
| Zohocorp | Manageengine Network Configuration Manager | - |
| Zohocorp | Manageengine Opmanager | - |
| Zohocorp | Manageengine Oputils | - |
Related Weaknesses (CWE)
References
- http://packetstormsecurity.com/files/148635/Zoho-ManageEngine-13-13790-build-XSSExploitThird Party AdvisoryVDB Entry
- http://seclists.org/fulldisclosure/2018/Jul/73Mailing ListThird Party Advisory
- http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201807-037ExploitThird Party Advisory
- https://github.com/unh3x/just4cve/issues/8ExploitThird Party Advisory
- http://packetstormsecurity.com/files/148635/Zoho-ManageEngine-13-13790-build-XSSExploitThird Party AdvisoryVDB Entry
- http://seclists.org/fulldisclosure/2018/Jul/73Mailing ListThird Party Advisory
- http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201807-037ExploitThird Party Advisory
- https://github.com/unh3x/just4cve/issues/8ExploitThird Party Advisory
FAQ
What is CVE-2018-12997?
CVE-2018-12997 is a vulnerability with a CVSS score of 7.5 (HIGH). Incorrect Access Control in FailOverHelperServlet in Zoho ManageEngine Netflow Analyzer before build 123137, Network Configuration Manager before build 123128, OpManager before build 123148, OpUtils b...
How severe is CVE-2018-12997?
CVE-2018-12997 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-12997?
Check the references section above for vendor advisories and patch information. Affected products include: Zohocorp Firewall Analyzer, Zohocorp Manageengine Netflow Analyzer, Zohocorp Manageengine Network Configuration Manager, Zohocorp Manageengine Opmanager, Zohocorp Manageengine Oputils.