Sign-up

ID

VAR-201709-0371


CVE

CVE-2017-14123


TITLE

Zoho ManageEngine Firewall Analyzer Vulnerable to unlimited upload of dangerous types of files

Trust: 0.8

sources: JVNDB: JVNDB-2017-007772

DESCRIPTION

Zoho ManageEngine Firewall Analyzer 12200 has an unrestricted File Upload vulnerability in the "Group Chat" section. Any user can upload files with any extensions. By uploading a PHP file to the server, an attacker can cause it to execute in the server context, as demonstrated by /itplus/FileStorage/302/shell.jsp. Zoho ManageEngine Firewall Analyzer Contains a vulnerability related to unlimited uploads of dangerous types of files.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. ManageEngine Firewall Analyzer is prone to an arbitrary file-upload vulnerability. An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application or privilege escalation. ManageEngine Firewall Analyzer 12200 is vulnerable; other versions may also be affected. Zoho ManageEngine Firewall Analyzer is a set of web-based firewall log analysis tools from Zoho, USA. It can collect, correlate analysis and report logs on firewalls, proxy servers and Radius servers throughout the enterprise. Group Chat is one of the team communication tools

Trust: 1.98

sources: NVD: CVE-2017-14123 // JVNDB: JVNDB-2017-007772 // BID: 100837 // VULHUB: VHN-104814

AFFECTED PRODUCTS

vendor:zohocorpmodel:manageengine firewall analyzerscope:eqversion:12.2

Trust: 1.6

vendor:zohomodel:manageengine firewall analyzerscope: - version: -

Trust: 0.8

vendor:zohocorpmodel:manageengine firewall analyzerscope:eqversion:12200

Trust: 0.3

sources: BID: 100837 // JVNDB: JVNDB-2017-007772 // CNNVD: CNNVD-201709-076 // NVD: CVE-2017-14123

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-14123
value: HIGH

Trust: 1.0

NVD: CVE-2017-14123
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201709-076
value: HIGH

Trust: 0.6

VULHUB: VHN-104814
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2017-14123
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-104814
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2017-14123
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2017-14123
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-104814 // JVNDB: JVNDB-2017-007772 // CNNVD: CNNVD-201709-076 // NVD: CVE-2017-14123

PROBLEMTYPE DATA

problemtype:CWE-434

Trust: 1.9

sources: VULHUB: VHN-104814 // JVNDB: JVNDB-2017-007772 // NVD: CVE-2017-14123

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201709-076

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-201709-076

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-007772

PATCH
title:Latest Consolidated Patchurl:https://pitstop.manageengine.com/portal/kb/articles/latest-consolidated-patch
Trust: 0.8
title:Zoho ManageEngine Firewall Analyzer Group Chat Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=74534
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2017-007772 // 
            
            
            
            CNNVD: CNNVD-201709-076

EXTERNAL IDS
db:NVDid:CVE-2017-14123
Trust: 2.8
db:JVNDBid:JVNDB-2017-007772
Trust: 0.8
db:CNNVDid:CNNVD-201709-076
Trust: 0.7
db:BIDid:100837
Trust: 0.4
db:VULHUBid:VHN-104814
Trust: 0.1
sources:
            
            
            VULHUB: VHN-104814 // 
            
            
            
            BID: 100837 // 
            
            
            
            JVNDB: JVNDB-2017-007772 // 
            
            
            
            CNNVD: CNNVD-201709-076 // 
            
            
            
            NVD: CVE-2017-14123

REFERENCES
url:https://blogs.securiteam.com/index.php/archives/3228
Trust: 2.8
url:https://pitstop.manageengine.com/portal/kb/articles/latest-consolidated-patch
Trust: 2.0
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-14123
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-14123
Trust: 0.8
url:https://www.manageengine.com/products/firewall/
Trust: 0.3
sources:
            
            
            VULHUB: VHN-104814 // 
            
            
            
            BID: 100837 // 
            
            
            
            JVNDB: JVNDB-2017-007772 // 
            
            
            
            CNNVD: CNNVD-201709-076 // 
            
            
            
            NVD: CVE-2017-14123

CREDITS
Yasser Ali
Trust: 0.3
sources:
            
            
            BID: 100837

SOURCES
db:VULHUBid:VHN-104814
db:BIDid:100837
db:JVNDBid:JVNDB-2017-007772
db:CNNVDid:CNNVD-201709-076
db:NVDid:CVE-2017-14123

LAST UPDATE DATE
2024-11-23T22:17:48.979000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-104814date:2020-10-01T00:00:00
db:BIDid:100837date:2017-09-04T00:00:00
db:JVNDBid:JVNDB-2017-007772date:2017-10-03T00:00:00
db:CNNVDid:CNNVD-201709-076date:2020-10-22T00:00:00
db:NVDid:CVE-2017-14123date:2024-11-21T03:12:11.170

SOURCES RELEASE DATE
db:VULHUBid:VHN-104814date:2017-09-04T00:00:00
db:BIDid:100837date:2017-09-04T00:00:00
db:JVNDBid:JVNDB-2017-007772date:2017-10-03T00:00:00
db:CNNVDid:CNNVD-201709-076date:2017-09-06T00:00:00
db:NVDid:CVE-2017-14123date:2017-09-04T20:29:00.197