Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2014-5445

CWE-22 — Path Traversal4 documents4 sources

Severity

5.0MEDIUM

EPSS

91.0%

top 0.36%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Zohocorp Manageengine Netflow Analyzer Zohocorp Manageengine It360

Timeline

PublishedDec 4

Latest updateMay 14

Description

Multiple absolute path traversal vulnerabilities in ZOHO ManageEngine Netflow Analyzer 8.6 through 10.2 and IT360 10.3 allow remote attackers or remote authenticated users to read arbitrary files via a full pathname in the schFilePath parameter to the (1) CSVServlet or (2) CReportPDFServlet servlet.

CVSS vector

AV:N/AC:L/C:P/I:N/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages2 packages

▶NVDzohocorp/manageengine_netflow_analyzer8.6 — 10.2

▶NVDzohocorp/manageengine_it36010.3.0

Patches

Patch: packetstormsecurity.com ↗Patch: packetstormsecurity.com ↗

🔴Vulnerability Details

GHSA

GHSA-r7hm-265q-g66c: Multiple absolute path traversal vulnerabilities in ZOHO ManageEngine Netflow Analyzer 8↗2022-05-14

▶

CVEList

CVE-2014-5445: Multiple absolute path traversal vulnerabilities in ZOHO ManageEngine Netflow Analyzer 8↗2014-12-04

▶

💥Exploits & PoCs

Exploit-DB

ManageEngine Netflow Analyzer / IT360 - Arbitrary File Download↗2014-12-03

▶