Detections
Analytics
ManageEngine AssetExplorer Multiple Vulnerabilities
medium Nessus Plugin ID 86885
Language:
Synopsis
The remote web server is affected by multiple vulnerabilities.Description
The version of ManageEngine AssetExplorer running on the remote web server is affected by multiple vulnerabilities :- A security bypass vulnerability exists due to a misconfiguration in web.xml that allows access to the URL /workorder/FileDownload.jsp without requiring authentication.
- A path traversal vulnerability exists in the servlet that processes the URL /workorder/FileDownload.jsp due to improper sanitization of input to the 'fName' parameter.
Consequently, an unauthenticated, remote attacker can exploit these issues, by using a crafted directory traversal sequence, to retrieve arbitrary files through the web server, subject to the privileges that it operates under.
Solution
Upgrade to ManageEngine AssetExplorer version 6.1 build 6113 or later.See Also
https://www.manageengine.com/products/asset-explorer/sp-readme.html
Plugin Details
Severity: Medium
ID: 86885
File Name: manageengine_assetexplorer_fName_traversal.nasl
Version: 1.6
Type: remote
Family: CGI abuses
Published: 11/16/2015
Updated: 1/19/2021
Supported Sensors: Nessus
Vulnerability Information
CPE: cpe:/a:zoho:manageengine_assetexplorer
Required KB Items: installed_sw/ManageEngine AssetExplorer
Excluded KB Items: Settings/disable_cgi_scanning
Exploited by Nessus: true
Patch Publication Date: 9/23/2015
Vulnerability Publication Date: 9/23/2015