Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2014-7866

CWE-22Path Traversal5 documents4 sources
Severity
7.5HIGH
EPSS
82.8%
top 0.76%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
3
Zohocorp Manageengine It360Zohocorp Manageengine OpmanagerZohocorp Manageengine Social IT Plus
Timeline
PublishedDec 10
Latest updateMay 14

Description

Multiple directory traversal vulnerabilities in ZOHO ManageEngine OpManager 8 (build 88xx) through 11.4, IT360 10.3 and 10.4, and Social IT Plus 11.0 allow remote attackers or remote authenticated users to write and execute arbitrary files via a .. (dot dot) in the (1) fileName parameter to the MigrateLEEData servlet or (2) zipFileName parameter in a downloadFileFromProbe operation to the MigrateCentralData servlet.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages3 packages

NVDzohocorp/manageengine_it36010.3.0, 10.4+1

🔴Vulnerability Details

2
GHSA
GHSA-5wgw-w89c-xh9x: Multiple directory traversal vulnerabilities in ZOHO ManageEngine OpManager 8 (build 88xx) through 112022-05-14
CVEList
CVE-2014-7866: Multiple directory traversal vulnerabilities in ZOHO ManageEngine OpManager 8 (build 88xx) through 112014-12-10

💥Exploits & PoCs

2
Exploit-DB
ManageEngine OpManager / Social IT Plus / IT360 - Multiple Vulnerabilities2014-11-10
Exploit-DB
ManageEngine OpManager / Social IT Plus / IT360 - Multiple Vulnerabilities2014-11-09
CVE-2014-7866 (HIGH CVSS 7.5) | Multiple directory traversal vulner | cvebase.io