← back
CVE-2017-11512

CVE-2017-11512

EPSS 79.6%CWE-22
Vexday Risk Score
40Attention
SSVC decision (CISA)
Attend
PoC available → attend closely
CVSS EPSS 79.6%KEV nãoPoC Nuclei simMetasploit Patch
Lifecycle
08 Nov 2017Published on NVD
Recommendation: Plan a near-term fix — a public PoC already exists.
The ManageEngine ServiceDesk 9.3.9328 is vulnerable to arbitrary file downloads due to improper restrictions of the pathname used in the name parameter for the download-snapshot URL. An unauthenticated remote attacker can use this vulnerability to download arbitrary files.
Affected products
Zoho · ManageEngine ServiceDesk

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://www.tenable.com/security/research/tra-2017-31http://www.securityfocus.com/bid/101789