CVE-2018-12997

Name of the Vulnerable Software and Affected Versions Zoho ManageEngine Netflow Analyzer versions prior to build 123137 Zoho ManageEngine Network Configuration Manager versions prior to build 123128 Zoho ManageEngine OpManager versions prior to build 123148 Zoho ManageEngine OpUtils versions prior to build 123161 Zoho ManageEngine Firewall Analyzer versions prior to build 123147

Description The issue allows attackers to bypass access controls and read certain files on the web server without logging in. This is achieved by sending a specially crafted request to the server with the operation set to copyfile and including a fileName substring.

Recommendations For Zoho ManageEngine Netflow Analyzer versions prior to build 123137, update to build 123137 or later. For Zoho ManageEngine Network Configuration Manager versions prior to build 123128, update to build 123128 or later. For Zoho ManageEngine OpManager versions prior to build 123148, update to build 123148 or later. For Zoho ManageEngine OpUtils versions prior to build 123161, update to build 123161 or later. For Zoho ManageEngine Firewall Analyzer versions prior to build 123147, update to build 123147 or later.