The FailOverHelperServlet (aka FailServlet) servlet in ZOHO ManageEngine Applications Manager before 11.9 build 11912, OpManager 8 through 11.5 build 11400, and IT360 10.5 and earlier does not properly restrict access, which allows remote attackers and remote authenticated users to (1) read arbitrary files via the fileName parameter in a copyfile operation or (2) obtain sensitive information via a directory listing in a listdirectory operation to servlet/FailOverHelperServlet.
References
Link | Resource |
---|---|
http://packetstormsecurity.com/files/130162/ManageEngine-File-Download-Content-Disclosure-SQL-Injection.html | Exploit Third Party Advisory VDB Entry |
http://seclists.org/fulldisclosure/2015/Jan/114 | Exploit |
http://www.securityfocus.com/archive/1/archive/1/534575/100/0/threaded | Broken Link Third Party Advisory VDB Entry |
https://exchange.xforce.ibmcloud.com/vulnerabilities/100554 | Third Party Advisory VDB Entry |
https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_failservlet.txt | Broken Link |
https://support.zoho.com/portal/manageengine/helpcenter/articles/vulnerabilities-in-failoverhelperservlet | Exploit Vendor Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2020-02-08T16:57:37
Updated: 2020-02-08T16:57:37
Reserved: 2014-10-05T00:00:00
Link: CVE-2014-7863
JSON object: View
NVD Information
Status : Analyzed
Published: 2020-02-08T17:15:10.980
Modified: 2020-02-13T16:30:45.727
Link: CVE-2014-7863
JSON object: View
Redhat Information
No data.
CWE