First published: Sat Feb 08 2020(Updated: )
The FailOverHelperServlet (aka FailServlet) servlet in ZOHO ManageEngine Applications Manager before 11.9 build 11912, OpManager 8 through 11.5 build 11400, and IT360 10.5 and earlier does not properly restrict access, which allows remote attackers and remote authenticated users to (1) read arbitrary files via the fileName parameter in a copyfile operation or (2) obtain sensitive information via a directory listing in a listdirectory operation to servlet/FailOverHelperServlet.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Zohocorp ManageEngine Applications Manager | <=11.9 | |
Zohocorp Manageengine It360 | <=10.5 | |
Zohocorp ManageEngine OpManager | >=8<=11.5 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2014-7863 is a vulnerability in ZOHO ManageEngine Applications Manager, OpManager, and IT360 that allows remote attackers and authenticated users to read arbitrary files and conduct SQL injection attacks.
CVE-2014-7863 has a severity rating of 7.5, which is considered high.
CVE-2014-7863 affects ZOHO ManageEngine Applications Manager (up to version 11.9), OpManager (versions 8 to 11.5), and IT360 (up to version 10.5).
Remote attackers can exploit CVE-2014-7863 to read arbitrary files and conduct SQL injection attacks.
Yes, you can find more information about CVE-2014-7863 at the following references: 1. [Packet Storm Security](http://packetstormsecurity.com/files/130162/ManageEngine-File-Download-Content-Disclosure-SQL-Injection.html) 2. [Full Disclosure Mailing List](http://seclists.org/fulldisclosure/2015/Jan/114) 3. [SecurityFocus](http://www.securityfocus.com/archive/1/archive/1/534575/100/0/threaded)