CVE-2014-6036

Directory traversal vulnerability in the multipartRequest servlet in ZOHO ManageEngine OpManager 11.3 and earlier, Social IT Plus 11.0, and IT360 10.3, 10.4, and earlier allows remote attackers or remote authenticated users to delete arbitrary files via a .. (dot dot) in the fileName parameter.

Published: Dec 4, 2014
Updated: Apr 13, 2023
CVE: CVE-2014-6036
Severity: Medium
Exploit:

CVSS v2:

Severity: Medium
Score: 6.4
AV:N/AC:L/Au:N/C:N/I:P/A:P

CWEs:

CWE-22

OWASP TOP 10:

A5 - Broken Access Control

Affected Software
References

Software	From	Fixed in
zohocorp / manageengine_opmanager	-	11.3.x
zohocorp / manageengine_it360	-	10.4.x
zohocorp / manageengine_it360	10.3.0	10.3.0.x
zohocorp / manageengine_social_it_plus	11.0	11.0.x

http://seclists.org/fulldisclosure/2014/Sep/110
https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_opmanager_socialit_it360.txt
https://support.zoho.com/portal/manageengine/helpcenter/articles/servlet-vulnerability-fix

Vulnerability Database

289,697

CVE-2014-6036