CVE-2014-7863

HIGH

Zohocorp Manageengine Applications Manager - Information Disclosure

Title source: rule

Description

The FailOverHelperServlet (aka FailServlet) servlet in ZOHO ManageEngine Applications Manager before 11.9 build 11912, OpManager 8 through 11.5 build 11400, and IT360 10.5 and earlier does not properly restrict access, which allows remote attackers and remote authenticated users to (1) read arbitrary files via the fileName parameter in a copyfile operation or (2) obtain sensitive information via a directory listing in a listdirectory operation to servlet/FailOverHelperServlet.

Exploits (3)

exploitdb WRITEUP
webappsmultiple
https://www.exploit-db.com/exploits/43894
metasploit WORKING POC
rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/admin/http/manageengine_dir_listing.rb
metasploit WORKING POC
rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/admin/http/manageengine_file_download.rb

References (6)

Scores

CVSS v3 7.5
EPSS 0.8887
EPSS Percentile 99.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Classification

CWE
CWE-200
Status published

Affected Products (3)

zohocorp/manageengine_applications_manager < 11.9
zohocorp/manageengine_it360 < 10.5
zohocorp/manageengine_opmanager < 11.5

Timeline

Published Feb 08, 2020
Tracked Since Feb 18, 2026