CVE-2016-6600

Name of the Vulnerable Software and Affected Versions ZOHO WebNMS Framework versions 5.2 through 5.2 SP1

Description A directory traversal issue exists in the file upload functionality, allowing remote attackers to upload and execute arbitrary JSP files. This is achieved by including a .. (dot dot) in the fileName parameter to the "servlets/FileUploadServlet" endpoint.

Recommendations For ZOHO WebNMS Framework versions 5.2 through 5.2 SP1, consider restricting access to the "servlets/FileUploadServlet" endpoint to minimize the risk of exploitation. Avoid using the fileName parameter in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.