CVE-2016-6601

Name of the Vulnerable Software and Affected Versions ZOHO WebNMS Framework versions 5.2 through 5.2 SP1

Description A directory traversal issue exists in the file download functionality, allowing remote attackers to read arbitrary files. This is achieved by including a .. (dot dot) in the fileName parameter to the "servlets/FetchFile" endpoint.

Recommendations For ZOHO WebNMS Framework versions 5.2 through 5.2 SP1, consider restricting access to the "servlets/FetchFile" endpoint until a patch is available. Avoid using the fileName parameter with unvalidated input to minimize the risk of exploitation.