← back
CVE-2019-8925

CVE-2019-8925

EPSS 11.8%
An issue was discovered in Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2. An Absolute Path Traversal vulnerability in the Administration zone, in /netflow/servlet/CReportPDFServlet (via the parameter schFilePath), allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via any file name, such as a schFilePath=C:\boot.ini value.
Affected products
n/a · n/a
public PoCs found3
cve_referencepacketstormsecurity.com/files/151757/Zoho-ManageEngine-Netflow-Analyzer-Professional-7.0.0.2-Traversal-XSS.htmlunverifiedcve_referencewww.exploit-db.com/exploits/46425/unverifiedexploitdbwww.exploit-db.com/exploits/46425unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://packetstormsecurity.com/files/151757/Zoho-ManageEngine-Netflow-Analyzer-Professional-7.0.0.2-Traversal-XSS.htmlhttp://seclists.org/fulldisclosure/2019/Feb/45https://www.exploit-db.com/exploits/46425/https://www.manageengine.com/products/netflow/?doc