CVE-2014-5006 – ManageEngine Desktop Central MSP MDMLogUploaderServlet filename File Upload Remote Code Execution Vulnerability

https://notcve.org/view.php?id=CVE-2014-5006

Directory traversal vulnerability in ZOHO ManageEngine Desktop Central (DC) before 9 build 90055 allows remote attackers to execute arbitrary code via a .. (dot dot) in the fileName parameter to mdm/mdmLogUploader. Vulnerabilidad de salto de directorio en ZOHO ManageEngine Desktop Central (DC) anterior a 9 build 90055 permite a atacantes remotos ejecutar código arbitrario a través de un .. (punto punto) en el parámetro fileName en mdm/mdmLogUploader. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of ManageEngine Desktop Central MSP. • https://www.exploit-db.com/exploits/34518 https://www.exploit-db.com/exploits/34594 http://osvdb.org/show/osvdb/110644 http://seclists.org/fulldisclosure/2014/Aug/88 http://www.exploit-db.com/exploits/34594 https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_dc9_file_upload.txt https://www.manageengine.com/products/desktop-central/remote-code-execution.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •