ManageEngine SupportCenter Plus < 7.9 Build 7917 attach Parameter Directory Traversal

high Nessus Plugin ID 72257

Synopsis

The remote host is running a web application affected by a directory traversal vulnerability.

Description

The remote host is running a version of ManageEngine SupportCenter Plus prior to version 7.9 build 7917. It is, therefore, affected by a directory traversal vulnerability related to 'WorkOrder.do' and attachments that could allow an attacker to download sensitive files.

Solution

Upgrade to ManageEngine SupportCenter version 7.9 build 7917 or later.

See Also

https://supportcenter.wiki.zoho.com/ReadMe-V2.html#7917

Plugin Details

Severity: High

ID: 72257

File Name: manageengine_supportcenter_7917.nasl

Version: 1.6

Type: remote

Family: CGI abuses

Published: 2/3/2014

Updated: 3/23/2022

Supported Sensors: Nessus

Risk Information

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:N/A:N

CVSS Score Source: CVE-2014-100002

CVSS v3

Risk Factor: High

Base Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Vulnerability Information

CPE: cpe:/a:manageengine:supportcenter_plus

Required KB Items: installed_sw/ManageEngine SupportCenter

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 3/14/2013

Vulnerability Publication Date: 1/28/2014

Reference Information

BID: 65199