CVE-2014-7863: Infoleak
First published: Sat Feb 08 2020(Updated: )
The FailOverHelperServlet (aka FailServlet) servlet in ZOHO ManageEngine Applications Manager before 11.9 build 11912, OpManager 8 through 11.5 build 11400, and IT360 10.5 and earlier does not properly restrict access, which allows remote attackers and remote authenticated users to (1) read arbitrary files via the fileName parameter in a copyfile operation or (2) obtain sensitive information via a directory listing in a listdirectory operation to servlet/FailOverHelperServlet.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Zohocorp Manageengine Applications Manager | <=11.9 | |
| Zohocorp Manageengine It360 | <=10.5 | |
| Zohocorp Manageengine Opmanager | >=8<=11.5 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://packetstormsecurity.com/files/130162/ManageEngine-File-Download-Content-Disclosure-SQL-Injection.html
- http://seclists.org/fulldisclosure/2015/Jan/114
- http://www.securityfocus.com/archive/1/archive/1/534575/100/0/threaded
- https://exchange.xforce.ibmcloud.com/vulnerabilities/100554
- https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_failservlet.txt
- https://support.zoho.com/portal/manageengine/helpcenter/articles/vulnerabilities-in-failoverhelperservlet
Frequently Asked Questions
What is CVE-2014-7863?
CVE-2014-7863 is a vulnerability in ZOHO ManageEngine Applications Manager, OpManager, and IT360 that allows remote attackers and authenticated users to read arbitrary files and conduct SQL injection attacks.
What is the severity of CVE-2014-7863?
CVE-2014-7863 has a severity rating of 7.5, which is considered high.
Which software are affected by CVE-2014-7863?
CVE-2014-7863 affects ZOHO ManageEngine Applications Manager (up to version 11.9), OpManager (versions 8 to 11.5), and IT360 (up to version 10.5).
How can remote attackers exploit CVE-2014-7863?
Remote attackers can exploit CVE-2014-7863 to read arbitrary files and conduct SQL injection attacks.
Are there any references to learn more about CVE-2014-7863?
Yes, you can find more information about CVE-2014-7863 at the following references: 1. [Packet Storm Security](http://packetstormsecurity.com/files/130162/ManageEngine-File-Download-Content-Disclosure-SQL-Injection.html) 2. [Full Disclosure Mailing List](http://seclists.org/fulldisclosure/2015/Jan/114) 3. [SecurityFocus](http://www.securityfocus.com/archive/1/archive/1/534575/100/0/threaded)
- collector/nvd-index
- agent/weakness
- vendor/zohocorp
- canonical/zohocorp manageengine applications manager
- version/zohocorp manageengine applications manager/11.9
- canonical/zohocorp manageengine it360
- version/zohocorp manageengine it360/10.5
- canonical/zohocorp manageengine opmanager
- version/zohocorp manageengine opmanager/8
- version/zohocorp manageengine opmanager/11.5