The FailOverHelperServlet (aka FailServlet) servlet in ZOHO ManageEngine Applications Manager prior to 11.9 build 11912, OpManager 8 up to and including 11.5 build 11400, and IT360 10.5 and previous versions does not properly restrict access, which allows remote attackers and remote authenticated users to (1) read arbitrary files via the fileName parameter in a copyfile operation or (2) obtain sensitive information via a directory listing in a listdirectory operation to servlet/FailOverHelperServlet.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
zohocorp manageengine applications manager |
||
zohocorp manageengine it360 |
||
zohocorp manageengine opmanager |