| Vulnerability Details | |
|---|---|
| Impact | CVSS V3 rating: 10 (Critical) |
| Reported | 18 Mar 2019 |
| Fixed | 21 Mar 2019 |
| Affected Builds | Till Build 123322 |
| Fixed in | Build 123323 |
| Overview | Vulnerability in Path traversal |
| Recommended Fix | Upgrade to NetFlow Analyzer Version 12.3.323 or above. |
An issue was discovered in Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2. An Absolute Path Traversal vulnerability in the Administration zone, in /netflow/servlet/CReportPDFServlet (via the parameter schFilePath), allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via any file name, such as a schFilePath=C:\boot.ini value.
We recommend that you upgrade to NetFlow Analyzer version 12.3.323 and above to fix this issue.
Source and Acknowledgements
Find out more about CVE-2019-8925, CVE-2019-8926, CVE-2019-8927, CVE-2019-8928 and CVE-2019-8929 from the CVE dictionary.
For clarification or corrections please contact our support team or email us at netflowanalyzer-support@manageengine.com