Page 5 of 25 results (0.009 seconds)

CVSS: 7.8EPSS: 97%CPEs: 2EXPL: 6

CVE-2014-5445 – ManageEngine NetFlow Analyzer CReportPDFServlet schFilePath Information Disclosure Vulnerability

https://notcve.org/view.php?id=CVE-2014-5445

Multiple absolute path traversal vulnerabilities in ZOHO ManageEngine Netflow Analyzer 8.6 through 10.2 and IT360 10.3 allow remote attackers or remote authenticated users to read arbitrary files via a full pathname in the schFilePath parameter to the (1) CSVServlet or (2) CReportPDFServlet servlet. Múltiples vulnerabilidades de recorrido de directorio absoluto en ZOHO ManageEngine Netflow Analyzer 8.6 hasta 10.2 y IT360 10.3 permiten a atacantes remotos o usuarios remotos autenticados leer ficheros arbitrarios a través de un nombre de ruta completo en el parámetro schFilePath en el servlet (1) CSVServlet o (2) CReportPDFServlet. This vulnerability allows remote attackers to disclose files on vulnerable installations of ManageEngine NetFlow Analyzer. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of input to the CReportPDFServlet servlet. The issue lies in the failure to perform any validation of the input filename. • https://www.exploit-db.com/exploits/43895 http://packetstormsecurity.com/files/129336/ManageEngine-Netflow-Analyzer-IT360-File-Download.html http://seclists.org/fulldisclosure/2014/Dec/9 http://www.securityfocus.com/archive/1/534122/100/0/threaded http://www.securityfocus.com/archive/1/534141/100/0/threaded http://www.securityfocus.com/bid/71404 https://exchange.xforce.ibmcloud.com/vulnerabilities/99045 https://github.com/rapid7/metasploit-framework/pull/4282 https://raw.githubusercontent.com • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVSS: 5.0EPSS: 92%CPEs: 14EXPL: 6

CVE-2014-5446 – ManageEngine Netflow Analyzer / IT360 - Arbitrary File Download

https://notcve.org/view.php?id=CVE-2014-5446

Directory traversal vulnerability in the DisplayChartPDF servlet in ZOHO ManageEngine Netflow Analyzer 8.6 through 10.2 and IT360 10.3 allows remote attackers and remote authenticated users to read arbitrary files via a .. (dot dot) in the filename parameter. Vulnerabilidad de salto de directorio en el servlet DisplayChartPDF en ZOHO ManageEngine Netflow Analyzer 8.6 hasta 10.2 y IT360 10.3 permite a atacantes remotos o usuarios remotos autenticados leer ficheros arbitrarios a través de un .. (punto punto) en el parámetro filename. ManageEngine Netflow Analyzer and IT360 suffer from an arbitrary file download vulnerability. • https://www.exploit-db.com/exploits/43895 http://packetstormsecurity.com/files/129336/ManageEngine-Netflow-Analyzer-IT360-File-Download.html http://seclists.org/fulldisclosure/2014/Dec/9 http://www.securityfocus.com/archive/1/534122/100/0/threaded http://www.securityfocus.com/archive/1/534141/100/0/threaded http://www.securityfocus.com/bid/71404 https://exchange.xforce.ibmcloud.com/vulnerabilities/99046 https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_netflow_it360_file_dl.txt&# • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 5

CVE-2007-3593 – NetFlow Analyzer 5 - '/jspui/appConfig.jsp?task' Cross-Site Scripting

https://notcve.org/view.php?id=CVE-2007-3593

Multiple cross-site scripting (XSS) vulnerabilities in ManageEngine NetFlow Analyzer 5 allow remote attackers to inject arbitrary web script or HTML via the (1) alpha parameter in (a) netflow/jspui/applicationList.jsp, the (2) task parameter in (b) netflow/jspui/appConfig.jsp, the (3) view parameter in (c) netflow/jspui/index.jsp, and the (4) rtype parameter in (d) netflow/jspui/selectDevice.jsp and (e) netflow/jspui/customReport.jsp. NOTE: it was later reported that vector 3 also affects 7.5 build 7500. Múltiples vulnerabilidades de tipo cross-site scripting (XSS) en ManageEngine NetFlow Analyzer versión 5, permite a atacantes remotos inyectar script web o HTML arbitrario por medio del parámetro (1) alpha en (a) el archivo netflow/jspui/applicationList.jsp, el (2) parámetro task en (b) el archivo netflow/jspui/appConfig.jsp, el (3) parámetro view en (c) el archivo netflow/jspui/index.jsp, y el (4) parámetro rtype en (d) los archivos netflow/jspui/selectDevice.jsp y (e) netflow/jspui/customReport.jsp. NOTA: fue reportado mas tarde que el vector 3 también afecta a la versión 7.5 build 7500. • https://www.exploit-db.com/exploits/30267 https://www.exploit-db.com/exploits/30266 https://www.exploit-db.com/exploits/30270 https://www.exploit-db.com/exploits/30268 https://www.exploit-db.com/exploits/30269 http://lostmon.blogspot.com/2007/07/netflow-analizer-5-opmanager-7-multiple.html http://osvdb.org/37826 http://osvdb.org/37827 http://osvdb.org/37828 http://osvdb.org/37829 http://osvdb.org/37830 http://secunia.com/advisories/25947 http://www&# • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 2.6EPSS: 1%CPEs: 2EXPL: 6

CVE-2007-3594 – OpManager 6/7 - '/admin/DeviceAssociation.do' Multiple Cross-Site Scripting Vulnerabilities

https://notcve.org/view.php?id=CVE-2007-3594

Multiple cross-site scripting (XSS) vulnerabilities in AdventNet ManageEngine OpManager 6 and 7 allow remote attackers to inject arbitrary web script or HTML via the (1) name parameter in (a) ping.do and (b) traceRoute.do in map/; the (2) reportName, (3) displayName, and (4) selectedNode parameters to (c) reports/ReportViewAction.do; the (5) operation parameter to (d) admin/ServiceConfiguration.do; and the (6) selectedNode and (7) selectedTab parameters to (e) admin/DeviceAssociation.do. NOTE: the searchTerm parameter in Search.do is already covered by CVE-2006-2343. Múltiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en AdventNet ManageEngine OpManager 6 y 7 permiten a atacantes remotos inyectar scripts web o HTML de su elección mediante (1) parámetro name en (a) ping.do y (b) traceRoute.do en map/; parámetros (2) reportName, (3) displayName, y (4) selectedNode en (c) reports/ReportViewAction.do; (5) parámetro operation en (d) admin/ServiceConfiguration.do; y parámetros (6) selectedNode y (7) selectedTab en (e) admin/DeviceAssociation.do. NOTE: el parámetro searchTerm en Search.do ya está cubierto en CVE-2006-2343. • https://www.exploit-db.com/exploits/30275 https://www.exploit-db.com/exploits/30274 https://www.exploit-db.com/exploits/30271 https://www.exploit-db.com/exploits/30272 https://www.exploit-db.com/exploits/30273 http://lostmon.blogspot.com/2007/07/netflow-analizer-5-opmanager-7-multiple.html http://osvdb.org/37821 http://osvdb.org/37822 http://osvdb.org/37823 http://osvdb.org/37824 http://osvdb.org/37825 http://osvdb.org/38945 http://osvdb.org/3894 •

CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 3

CVE-2005-3522 – NetFlow Analyzer 4 - Cross-Site Scripting

https://notcve.org/view.php?id=CVE-2005-3522

Cross-site scripting (XSS) vulnerability in index.jsp in ManageEngine Netflow Analyzer 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the grDisp parameter. • https://www.exploit-db.com/exploits/26354 http://marc.info/?l=bugtraq&m=112967149509401&w=2 http://secunia.com/advisories/17253 http://securitytracker.com/id?1015078 http://www.osvdb.org/20073 http://www.securityfocus.com/bid/15127 https://exchange.xforce.ibmcloud.com/vulnerabilities/22788 •