CVE-2014-5446

Name of the Vulnerable Software and Affected Versions Zoho ManageEngine Netflow Analyzer versions 8.6 through 10.2 Zoho ManageEngine IT360 version 10.3

Description A directory traversal issue exists in the DisplayChartPDF servlet, allowing remote attackers and remote authenticated users to read arbitrary files. This is achieved by including a .. (dot dot) in the filename parameter.

Recommendations For Zoho ManageEngine Netflow Analyzer versions 8.6 through 10.2, restrict access to the DisplayChartPDF servlet until a fix is available. For Zoho ManageEngine IT360 version 10.3, avoid using the filename parameter in the DisplayChartPDF servlet until the issue is resolved. As a temporary workaround, consider disabling the DisplayChartPDF servlet to prevent exploitation.