CVSS: 10.0EPSS: 90%CPEs: 1EXPL: 4CVE-2014-5006 – ManageEngine Desktop Central MSP MDMLogUploaderServlet filename File Upload Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2014-5006
Directory traversal vulnerability in ZOHO ManageEngine Desktop Central (DC) before 9 build 90055 allows remote attackers to execute arbitrary code via a .. (dot dot) in the fileName parameter to mdm/mdmLogUploader. Vulnerabilidad de salto de directorio en ZOHO ManageEngine Desktop Central (DC) anterior a 9 build 90055 permite a atacantes remotos ejecutar código arbitrario a través de un .. (punto punto) en el parámetro fileName en mdm/mdmLogUploader. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of ManageEngine Desktop Central MSP. • https://www.exploit-db.com/exploits/34518 https://www.exploit-db.com/exploits/34594 http://osvdb.org/show/osvdb/110644 http://seclists.org/fulldisclosure/2014/Aug/88 http://www.exploit-db.com/exploits/34594 https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_dc9_file_upload.txt https://www.manageengine.com/products/desktop-central/remote-code-execution.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 10.0EPSS: 2%CPEs: 2EXPL: 4CVE-2014-5007 – ManageEngine Desktop Central - Arbitrary File Upload / Remote Code Execution
https://notcve.org/view.php?id=CVE-2014-5007
Directory traversal vulnerability in the agentLogUploader servlet in ZOHO ManageEngine Desktop Central (DC) and Desktop Central Managed Service Providers (MSP) edition before 9 build 90055 allows remote attackers to write to and execute arbitrary files as SYSTEM via a .. (dot dot) in the filename parameter. Una vulnerabilidad de salto de directorio en el servlet agentLogUploader en ZOHO ManageEngine Desktop Central (DC) y Desktop Central Managed Service Providers (MSP) edición anterior a 9 build 90055, permite a atacantes remotos escribir y ejecutar archivos arbitrarios como SYSTEM por medio de un .. (punto punto) en el parámetro filename. ManageEngine Desktop Central suffers from code execution and remote shell upload vulnerabilities. • https://www.exploit-db.com/exploits/34518 https://www.exploit-db.com/exploits/29674 https://www.exploit-db.com/exploits/29812 http://seclists.org/fulldisclosure/2014/Aug/88 https://www.manageengine.com/products/desktop-central/remote-code-execution.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •