CVE-2014-7866

Name of the Vulnerable Software and Affected Versions ManageEngine OpManager versions 8 (build 88xx) through 11.4 IT360 versions 10.3 and 10.4 Social IT Plus version 11.0

Description The issue allows remote attackers or remote authenticated users to write and execute arbitrary files. This can be achieved via a .. (dot dot) in the fileName parameter to the MigrateLEEData servlet or the zipFileName parameter in a downloadFileFromProbe operation to the MigrateCentralData servlet.

Recommendations For ManageEngine OpManager versions 8 (build 88xx) through 11.4, consider disabling the MigrateLEEData and MigrateCentralData servlets until a patch is available. For IT360 versions 10.3 and 10.4, restrict access to the MigrateCentralData servlet to minimize the risk of exploitation. For Social IT Plus version 11.0, avoid using the fileName and zipFileName parameters in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.