Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2014-5007

CWE-22Path Traversal6 documents4 sources
Severity
9.8CRITICAL
EPSS
50.0%
top 2.18%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
Zohocorp Manageengine Desktop CentralZohocorp Manageengine Desktop Central Managed Service Providers
Timeline
PublishedJan 17
Latest updateMay 17

Description

Directory traversal vulnerability in the agentLogUploader servlet in ZOHO ManageEngine Desktop Central (DC) and Desktop Central Managed Service Providers (MSP) edition before 9 build 90055 allows remote attackers to write to and execute arbitrary files as SYSTEM via a .. (dot dot) in the filename parameter.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

🔴Vulnerability Details

2
GHSA
GHSA-7f93-hqwq-9wxf: Directory traversal vulnerability in the agentLogUploader servlet in ZOHO ManageEngine Desktop Central (DC) and Desktop Central Managed Service Provid2022-05-17
CVEList
CVE-2014-5007: Directory traversal vulnerability in the agentLogUploader servlet in ZOHO ManageEngine Desktop Central (DC) and Desktop Central Managed Service Provid2020-01-17

💥Exploits & PoCs

3
Exploit-DB
ManageEngine Desktop Central - Arbitrary File Upload / Remote Code Execution2014-09-01
Exploit-DB
DesktopCentral AgentLogUpload - Arbitrary File Upload (Metasploit)2013-11-25
Exploit-DB
ManageEngine Desktop Central 8.0.0 build < 80293 - Arbitrary File Upload2013-11-18
CVE-2014-5007 (CRITICAL CVSS 9.8) | Directory traversal vulnerability i | cvebase.io