CVE-2015-2959

Zoho NetFlow Analyzer build 10250 and earlier does not check for administrative authorization, which allows remote attackers to obtain sensitive information, modify passwords, or remove accounts by leveraging the guest role.

CVSS v2.0 7.5 HIGH

7.5^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://jvndb.jvn.jp/jvndb/JVNDB-2015-000075	Vendor Advisory
http://jvn.jp/en/jp/JVN25598413/index.html	Vendor Advisory
https://support.zoho.com/portal/manageengine/helpcenter/articles/vulnerability-fix-for-fails-to-restrict-access-permissions-cross-site-scripting-cross-site-request-forgery-over-build-10250	Patch Vendor Advisory
http://www.securityfocus.com/bid/75065
http://www.securitytracker.com/id/1032516

Advertisement

Configurations

Configuration 1 (hide)

cpe:2.3:a:zohocorp:manageengine_netflow_analyzer:-:*:*:*:*:*:*:*

Information

Published : 2015-06-08 17:59

Updated : 2016-12-30 18:59

NVD link : CVE-2015-2959

Mitre link : CVE-2015-2959

JSON object : View

CWE

CWE-284

Improper Access Control

Advertisement

Products Affected

zohocorp

manageengine_netflow_analyzer

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "http://jvndb.jvn.jp/jvndb/JVNDB-2015-000075", "name": "JVNDB-2015-000075", "tags": ["Vendor Advisory"], "refsource": "JVNDB"}, {"url": "http://jvn.jp/en/jp/JVN25598413/index.html", "name": "JVN#25598413", "tags": ["Vendor Advisory"], "refsource": "JVN"}, {"url": "https://support.zoho.com/portal/manageengine/helpcenter/articles/vulnerability-fix-for-fails-to-restrict-access-permissions-cross-site-scripting-cross-site-request-forgery-over-build-10250", "name": "https://support.zoho.com/portal/manageengine/helpcenter/articles/vulnerability-fix-for-fails-to-restrict-access-permissions-cross-site-scripting-cross-site-request-forgery-over-build-10250", "tags": ["Patch", "Vendor Advisory"], "refsource": "CONFIRM"}, {"url": "http://www.securityfocus.com/bid/75065", "name": "75065", "tags": [], "refsource": "BID"}, {"url": "http://www.securitytracker.com/id/1032516", "name": "1032516", "tags": [], "refsource": "SECTRACK"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "Zoho NetFlow Analyzer build 10250 and earlier does not check for administrative authorization, which allows remote attackers to obtain sensitive information, modify passwords, or remove accounts by leveraging the guest role."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-284"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2015-2959", "ASSIGNER": "vultures@jpcert.or.jp"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "severity": "HIGH", "impactScore": 6.4, "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}}, "publishedDate": "2015-06-09T00:59Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:zohocorp:manageengine_netflow_analyzer:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2016-12-31T02:59Z"}