Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2019-8925

CWE-22Path Traversal4 documents4 sources
Severity
4.3MEDIUM
EPSS
9.0%
top 7.37%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
1
Zohocorp Manageengine Netflow Analyzer
Timeline
PublishedMay 17
Latest updateMay 24

Description

An issue was discovered in Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2. An Absolute Path Traversal vulnerability in the Administration zone, in /netflow/servlet/CReportPDFServlet (via the parameter schFilePath), allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via any file name, such as a schFilePath=C:\boot.ini value.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages1 packages

🔴Vulnerability Details

2
GHSA
GHSA-894v-rfxj-998f: An issue was discovered in Zoho ManageEngine Netflow Analyzer Professional 72022-05-24
CVEList
CVE-2019-8925: An issue was discovered in Zoho ManageEngine Netflow Analyzer Professional 72019-05-17

💥Exploits & PoCs

1
Exploit-DB
Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2 - Path Traversal / Cross-Site Scripting2019-02-19
CVE-2019-8925 (MEDIUM CVSS 4.3) | An issue was discovered in Zoho Man | cvebase.io