CVE-2014-6036

Name of the Vulnerable Software and Affected Versions ZOHO ManageEngine OpManager versions 11.3 and earlier Social IT Plus version 11.0 IT360 versions 10.3, 10.4, and earlier

Description The issue allows remote attackers or remote authenticated users to delete arbitrary files via a .. (dot dot) in the fileName parameter. This is related to a directory traversal vulnerability in the multipartRequest servlet.

Recommendations For ZOHO ManageEngine OpManager versions 11.3 and earlier, update to a version later than 11.3 to resolve the issue. For Social IT Plus version 11.0, update to a version later than 11.0 to resolve the issue. For IT360 versions 10.3, 10.4, and earlier, update to a version later than 10.4 to resolve the issue. As a temporary workaround, consider restricting access to the multipartRequest servlet to minimize the risk of exploitation. Avoid using the fileName parameter in the affected API endpoint until the issue is resolved.