CVE-2014-5446 – ManageEngine Netflow Analyzer / IT360 - Arbitrary File Download

https://notcve.org/view.php?id=CVE-2014-5446

Directory traversal vulnerability in the DisplayChartPDF servlet in ZOHO ManageEngine Netflow Analyzer 8.6 through 10.2 and IT360 10.3 allows remote attackers and remote authenticated users to read arbitrary files via a .. (dot dot) in the filename parameter. Vulnerabilidad de salto de directorio en el servlet DisplayChartPDF en ZOHO ManageEngine Netflow Analyzer 8.6 hasta 10.2 y IT360 10.3 permite a atacantes remotos o usuarios remotos autenticados leer ficheros arbitrarios a través de un .. (punto punto) en el parámetro filename. ManageEngine Netflow Analyzer and IT360 suffer from an arbitrary file download vulnerability. • https://www.exploit-db.com/exploits/43895 http://packetstormsecurity.com/files/129336/ManageEngine-Netflow-Analyzer-IT360-File-Download.html http://seclists.org/fulldisclosure/2014/Dec/9 http://www.securityfocus.com/archive/1/534122/100/0/threaded http://www.securityfocus.com/archive/1/534141/100/0/threaded http://www.securityfocus.com/bid/71404 https://exchange.xforce.ibmcloud.com/vulnerabilities/99046 https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_netflow_it360_file_dl.txt&# • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •