Absolute Path Traversal Vulnerability in Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2

CVE-2019-8925 · MEDIUM Severity

AV:N/AC:L/AU:S/C:P/I:N/A:N

An issue was discovered in Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2. An Absolute Path Traversal vulnerability in the Administration zone, in /netflow/servlet/CReportPDFServlet (via the parameter schFilePath), allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via any file name, such as a schFilePath=C:\boot.ini value.

Learn more about our User Device Pen Test.