CVE-2014-8678
ManageEngine OpUtils ConfigSaveServlet saveFile Information Disclosure Vulnerability
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
The ConfigSaveServlet servlet in ManageEngine OpUtils before build 71024 allows remote attackers to "disclose" files via a crafted filename, related to "saveFile."
El servlet ConfigSaveServlet en ManageEngine OpUtils anterior a build 71024 permite a atacantes remotos 'revelar' ficheros a través de un nombre de fichero manipulado, relacionado con 'saveFile.'
This vulnerability allows remote attackers to disclose files on vulnerable installations of ManageEngine OpUtils. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the handling of the ConfigSaveServlet servlet. The issue lies in the failure to properly sanitize a filename. A remote attacker can exploit this vulnerability to disclose files from the system.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2014-11-07 CVE Reserved
- 2014-11-21 CVE Published
- 2024-08-06 CVE Updated
- 2024-08-21 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CAPEC
References (1)
| URL | Tag | Source |
|---|---|---|
| http://www.zerodayinitiative.com/advisories/ZDI-14-386 | X_refsource_misc |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Manageengine Search vendor "Manageengine" | Oputils Search vendor "Manageengine" for product "Oputils" | <= 7.0 Search vendor "Manageengine" for product "Oputils" and version " <= 7.0" | - |
Affected
| ||||||