cbcvebase.
CVE-2017-11511
published 2017-11-08

CVE-2017-11511: The ManageEngine ServiceDesk 9.3.9328 is vulnerable to arbitrary file downloads due to improper restrictions of the pathname used in the filepath parameter for…

PriorityP277high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
ITWVulnCheck KEV
Exploited in the wild
EPSS
3.54%
87.8th percentile
The ManageEngine ServiceDesk 9.3.9328 is vulnerable to arbitrary file downloads due to improper restrictions of the pathname used in the filepath parameter for the download-file URL. An unauthenticated remote attacker can use this vulnerability to download arbitrary files.

Affected

2 ranges
VendorProductVersion rangeFixed in
manageengineservicedesk
zohomanageengine_servicedesk

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://192.168.1.200:8080/fosagent/repl/download-file?basedir=4&filepath=pgsql\data\pg_log\pgsql_Wed.log
urlhttp://192.168.1.200:8080/fosagent/repl/download-file?basedir=4&filepath=..\..\Windows\win.ini
path/fosagent/repl/download-file
path/fosagent/repl/download-snapshot
pathC:\ManageEngine\ServiceDesk\bin\..\fileAttachments
pathC:\ManageEngine\ServiceDesk\bin\..\inlineimages
pathC:\ManageEngine\ServiceDesk\bin\..\archive
  • Monitor HTTP requests to the /fosagent/repl/download-file endpoint for the presence of directory traversal sequences (e.g., ..\) in the 'filepath' parameter, which indicates exploitation of CVE-2017-11511.
  • Both /fosagent/repl/download-file and /fosagent/repl/download-snapshot endpoints are accessible by unauthenticated remote users; any unauthenticated access to these endpoints should be treated as suspicious.
  • ·The vulnerability remains unfixed as of ManageEngine ServiceDesk version 9.3.9328; ensure the installed version is checked against this baseline when assessing exposure.
  • ·The 'basedir' parameter in the download-file endpoint controls the base directory scope; traversal is possible relative to these base directories (fileAttachments, inlineimages, archive, ServiceDesk root).

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.