CVE-2017-11511

HIGH EXPLOITED

ManageEngine ServiceDesk <9.3.9328 - Path Traversal

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2017-11511 has been observed exploited in the wild (reported by VulnCheck KEV).

Description

The ManageEngine ServiceDesk 9.3.9328 is vulnerable to arbitrary file downloads due to improper restrictions of the pathname used in the filepath parameter for the download-file URL. An unauthenticated remote attacker can use this vulnerability to download arbitrary files.

References (2)

Core 2
Core References
Issue Tracking, Third Party Advisory x_refsource_misc
https://www.tenable.com/security/research/tra-2017-31
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/101788

Scores

CVSS v3 7.5
EPSS 0.0354
EPSS Percentile 87.9%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

VulnCheck KEV 2024-09-19
CWE
CWE-200 CWE-22
Status published
Products (2)
manageengine/servicedesk 9.3.9328
Zoho/ManageEngine ServiceDesk 9.3.9328
Published Nov 08, 2017
Tracked Since Feb 18, 2026