cbcvebase.
CVE-2014-5301
published 2017-08-28

CVE-2014-5301: Directory traversal vulnerability in ServiceDesk Plus MSP v5 to v9.0 v9030; AssetExplorer v4 to v6.1; SupportCenter v5 to v7.9; IT360 v8 to v10.4.

PriorityP272high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
78.38%
99.5th percentile
Directory traversal vulnerability in ServiceDesk Plus MSP v5 to v9.0 v9030; AssetExplorer v4 to v6.1; SupportCenter v5 to v7.9; IT360 v8 to v10.4.

Detection & IOCsextracted from sources · hover to see the quote

path/workorder/Attachment.jsp
path/common/FileAttachment.jsp
path/j_security_check
path../../server/default/deploy
cookieJSESSIONID
cookieIAMAGENTTICKET
port8080
port8400
  • ·Authentication is required to exploit this vulnerability; the module attempts default credentials but can also accept a pre-authenticated session cookie, meaning compromised or weak credentials are a prerequisite.
  • ·Only ServiceDesk v9 build 9031 and above was patched at time of module release; AssetExplorer, SupportCenter, and IT360 remained unpatched.
  • ·For IT360 targets, the ServiceDesk component typically runs on port 8400, not the default 8080; defenders should ensure monitoring covers both ports.
  • ·The exploit is effective on both Windows and Linux deployments, so platform-specific defenses alone are insufficient.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.