CVE-2014-6034

Zohocorp Manageengine Social IT Plus < 10.4 - Path Traversal

Title source: rule

Description

Directory traversal vulnerability in the com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector servlet in ZOHO ManageEngine OpManager 8.8 through 11.3, Social IT Plus 11.0, and IT360 10.4 and earlier allows remote attackers or remote authenticated users to write to and execute arbitrary WAR files via a .. (dot dot) in the regionID parameter.

Exploits (3)

exploitdb WORKING POC VERIFIED

by Pedro Ribeiro · rubyremotejava

https://www.exploit-db.com/exploits/34867

View Code ZIP pw:eip

metasploit WORKING POC EXCELLENT

rubypocjava

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/opmanager_socialit_file_upload.rb

View Code ZIP pw:eip

exploitdb WRITEUP

webappsmultiple

https://www.exploit-db.com/exploits/43896

View on exploitdb

References (3)

[Exploit] http://seclists.org/fulldisclosure/2014/Sep/110

[Exploit] https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_opmanager_socialit_it360.txt

[Patch] https://support.zoho.com/portal/manageengine/helpcenter/articles/servlet-vulnerability-fix

Scores

EPSS 0.8655

EPSS Percentile 99.4%

Classification

CWE

CWE-22

Status draft

Affected Products (14)

zohocorp/manageengine_social_it_plus

zohocorp/manageengine_it360 < 10.4

zohocorp/manageengine_opmanager

zohocorp/manageengine_opmanager

zohocorp/manageengine_opmanager

zohocorp/manageengine_opmanager

zohocorp/manageengine_opmanager

zohocorp/manageengine_opmanager

zohocorp/manageengine_opmanager

zohocorp/manageengine_opmanager

zohocorp/manageengine_opmanager

zohocorp/manageengine_opmanager

zohocorp/manageengine_opmanager

zohocorp/manageengine_opmanager

Timeline

Published Dec 04, 2014

Tracked Since Feb 18, 2026