Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2014-6037

CWE-22Path Traversal5 documents4 sources
Severity
7.5HIGH
EPSS
81.7%
top 0.81%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
1
Zohocorp Manageengine Eventlog Analyzer
Timeline
PublishedOct 26
Latest updateMay 13

Description

Directory traversal vulnerability in the agentUpload servlet in ZOHO ManageEngine EventLog Analyzer 9.0 build 9002 and 8.2 build 8020 allows remote attackers to execute arbitrary code by uploading a ZIP file which contains an executable file with .. (dot dot) sequences in its name, then accessing the executable via a direct request to the file under the web root. Fixed in Build 11072.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages1 packages

🔴Vulnerability Details

2
GHSA
GHSA-48g9-8f3w-6mc2: Directory traversal vulnerability in the agentUpload servlet in ZOHO ManageEngine EventLog Analyzer 92022-05-13
CVEList
CVE-2014-6037: Directory traversal vulnerability in the agentUpload servlet in ZOHO ManageEngine EventLog Analyzer 92014-10-26

💥Exploits & PoCs

2
Exploit-DB
ManageEngine Eventlog Analyzer - Arbitrary File Upload (Metasploit)2014-09-15
Exploit-DB
ManageEngine EventLog Analyzer - Multiple Vulnerabilities (1)2014-09-01
CVE-2014-6037 (HIGH CVSS 7.5) | Directory traversal vulnerability i | cvebase.io