Vulnerability Details : CVE-2014-7863
Public exploit exists!
The FailOverHelperServlet (aka FailServlet) servlet in ZOHO ManageEngine Applications Manager before 11.9 build 11912, OpManager 8 through 11.5 build 11400, and IT360 10.5 and earlier does not properly restrict access, which allows remote attackers and remote authenticated users to (1) read arbitrary files via the fileName parameter in a copyfile operation or (2) obtain sensitive information via a directory listing in a listdirectory operation to servlet/FailOverHelperServlet.
Vulnerability category: Information leak
Products affected by CVE-2014-7863
- cpe:2.3:a:zohocorp:manageengine_it360:*:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_opmanager:*:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_applications_manager:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2014-7863
97.52%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 100 %
Percentile, the proportion of vulnerabilities that are scored at or less
Metasploit modules for CVE-2014-7863
-
ManageEngine Multiple Products Arbitrary Directory Listing
Disclosure Date: 2015-01-28First seen: 2020-04-26auxiliary/admin/http/manageengine_dir_listingThis module exploits a directory listing information disclosure vulnerability in the FailOverHelperServlet on ManageEngine OpManager, Applications Manager and IT360. It makes a recursive listing, so it will list the whole drive if you ask it to list / in Linu -
ManageEngine Multiple Products Arbitrary File Download
Disclosure Date: 2015-01-28First seen: 2020-04-26auxiliary/admin/http/manageengine_file_downloadThis module exploits an arbitrary file download vulnerability in the FailOverHelperServlet on ManageEngine OpManager, Applications Manager and IT360. This vulnerability is unauthenticated on OpManager and Applications Manager, but authenticated in IT360. This
CVSS scores for CVE-2014-7863
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2014-7863
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-7863
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/100554
ManageEngine OpManager, Applications Manager and IT360 file download CVE-2014-7863 Vulnerability ReportThird Party Advisory;VDB Entry
-
http://seclists.org/fulldisclosure/2015/Jan/114
Full Disclosure: [The ManageOwnage Series, part XII]: Multiple vulnerabilities in FailOverServlet (OpManager, AppManager, IT360)Exploit
-
http://packetstormsecurity.com/files/130162/ManageEngine-File-Download-Content-Disclosure-SQL-Injection.html
ManageEngine File Download / Content Disclosure / SQL Injection ≈ Packet StormExploit;Third Party Advisory;VDB Entry
-
https://support.zoho.com/portal/manageengine/helpcenter/articles/vulnerabilities-in-failoverhelperservlet
Vulnerabilities in FailOverHelperServletExploit;Vendor Advisory
Jump to