logo
DATABASE RESOURCES PRICING ABOUT US

ManageEngine OpManager Multiple Directory Traversal Vulnerabilities

Description

The version of ManageEngine OpManager installed on the remote host is affected by multiple directory traversal vulnerabilities : - The FileCollector servlet fails to properly sanitize user-supplied input to the 'regionID' and 'FILENAME' parameters when uploading files. This allows a remote attacker and authenticated users to write to and execute arbitrary WAR files. (CVE-2014-6034, CVE-2014-6035) - The multipartRequest servlet fails to properly sanitize user-supplied input to the 'fileName' parameter. This allows a remote attacker and authenticated users to delete arbitrary files. (CVE-2014-6036) Note that Nessus has tested for the two directory traversal and file upload vulnerabilities; however, it did not test for the arbitrary code execution or file deletion vulnerabilities. If a file can be uploaded via the directory traversal attack, then the execution and deletion flaws are likely exploitable as well.


Related