cbcvebase.
CVE-2011-2757
published 2011-07-17

CVE-2011-2757: Directory traversal vulnerability in FileDownload.jsp in ManageEngine ServiceDesk Plus 8.0.0.12 and earlier allows remote attackers to read arbitrary files via…

PriorityP345medium5CVSS 2.0
AVNACLAuNCPINAN
EXPLOIT
EPSS
39.37%
98.4th percentile
Directory traversal vulnerability in FileDownload.jsp in ManageEngine ServiceDesk Plus 8.0.0.12 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the FILENAME parameter. NOTE: this might overlap the US-CERT VU#543310 issue.

Affected

4 ranges
VendorProductVersion rangeFixed in
manageengineservicedesk_plus<= 8.0.0.12
manageengineservicedesk_plus
manageengineservicedesk_plus
manageengineservicedesk_plus

Detection & IOCsextracted from sources · hover to see the quote

  • ·The vulnerability affects ManageEngine ServiceDesk Plus build 9110 and lower per the Metasploit module, but the NVD entry and original exploits reference version 8.0.0.12 and earlier — ensure detection coverage spans both version ranges.
  • ·The vulnerability also affects ManageEngine Support Center Plus (not just ServiceDesk Plus); detection rules should cover both products' /workorder/FileDownload.jsp endpoints.
  • ·On Windows, exploitation can yield SYSTEM-level file reads; on Linux, root-level file reads are possible if the service runs as root — severity of detections should reflect privilege context.
  • ·The fix for ServiceDesk Plus was released as Service Pack Build 8012; the fix for Support Center Plus was released as patch 7803 — verify patched build numbers when triaging alerts.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.