CVE-2015-5149

Name of the Vulnerable Software and Affected Versions Zoho ManageEngine SupportCenter Plus version 7.90

Description A directory traversal issue exists, allowing remote authenticated users to write to arbitrary files. This is achieved by including a .. (dot dot) in the component parameter in the Request component to "workorder/Attachment.jsp" API endpoint.

Recommendations For Zoho ManageEngine SupportCenter Plus version 7.90, consider restricting access to the "workorder/Attachment.jsp" endpoint until a patch is available. As a temporary workaround, avoid using the component parameter in the Request component to minimize the risk of exploitation.