CVE-2017-11512

HIGH EXPLOITED IN THE WILD NUCLEI

ManageEngine ServiceDesk <9.3.9328 - Path Traversal

Title source: llm

Description

The ManageEngine ServiceDesk 9.3.9328 is vulnerable to arbitrary file downloads due to improper restrictions of the pathname used in the name parameter for the download-snapshot URL. An unauthenticated remote attacker can use this vulnerability to download arbitrary files.

Nuclei Templates (1)

ManageEngine ServiceDesk 9.3.9328 - Arbitrary File Retrieval

HIGHVERIFIEDby 0x_Akoko

Shodan: http.title:"ManageEngine" || http.title:"manageengine"

FOFA: title="manageengine"

References (2)

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/101789

[Issue Tracking, Third Party Advisory] https://www.tenable.com/security/research/tra-2017-31

Scores

CVSS v3 7.5

EPSS 0.8294

EPSS Percentile 99.3%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

VulnCheck KEV 2022-01-12

InTheWild.io 2021-11-11

CWE

CWE-22

Status published

Products (2)

manageengine/servicedesk 9.3.9328

Zoho/ManageEngine ServiceDesk 9.3.9328

Published Nov 08, 2017

Tracked Since Feb 18, 2026