CVE-2014-6034

Zohocorp Manageengine Social IT Plus < 10.4 - Path Traversal

Title source: rule

Description

Directory traversal vulnerability in the com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector servlet in ZOHO ManageEngine OpManager 8.8 through 11.3, Social IT Plus 11.0, and IT360 10.4 and earlier allows remote attackers or remote authenticated users to write to and execute arbitrary WAR files via a .. (dot dot) in the regionID parameter.

Exploits (3)

exploitdb WORKING POC VERIFIED

by Pedro Ribeiro · rubyremotejava

https://www.exploit-db.com/exploits/34867

View Code ZIP pw:eip

exploitdb WRITEUP

webappsmultiple

https://www.exploit-db.com/exploits/43896

View Code ZIP pw:eip

metasploit WORKING POC EXCELLENT

rubypocjava

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/opmanager_socialit_file_upload.rb

View Code ZIP pw:eip

References (3)

[Exploit] http://seclists.org/fulldisclosure/2014/Sep/110

[Exploit] https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_opmanager_socialit_it360.txt

[Patch] https://support.zoho.com/portal/manageengine/helpcenter/articles/servlet-vulnerability-fix

Scores

EPSS 0.8655

EPSS Percentile 99.4%

Details

CWE

CWE-22

Status published

Products (14)

zohocorp/manageengine_it360 < 10.4

zohocorp/manageengine_opmanager 8.8

zohocorp/manageengine_opmanager 9.0

zohocorp/manageengine_opmanager 9.1

zohocorp/manageengine_opmanager 9.2

zohocorp/manageengine_opmanager 9.4

zohocorp/manageengine_opmanager 10.0

zohocorp/manageengine_opmanager 10.1

zohocorp/manageengine_opmanager 10.2

zohocorp/manageengine_opmanager 11.0

... and 4 more

Published Dec 04, 2014

Tracked Since Feb 18, 2026