CVE-2015-2959

Zoho NetFlow Analyzer build 10250 and earlier does not check for administrative authorization, which allows remote attackers to obtain sensitive information, modify passwords, or remove accounts by leveraging the guest role.

CVSS v2.0 7.5 HIGH

7.5^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://jvn.jp/en/jp/JVN25598413/index.html	Vendor Advisory
http://jvndb.jvn.jp/jvndb/JVNDB-2015-000075	Vendor Advisory
http://www.securityfocus.com/bid/75065
http://www.securitytracker.com/id/1032516
https://support.zoho.com/portal/manageengine/helpcenter/articles/vulnerability-fix-for-fails-to-restrict-access-permissions-cross-site-scripting-cross-site-request-forgery-over-build-10250	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:zohocorp:manageengine_netflow_analyzer:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2015-06-09 00:59

Updated : 2023-12-10 11:46

NVD link : CVE-2015-2959

Mitre link : CVE-2015-2959

CVE.ORG link : CVE-2015-2959

JSON object : View

Products Affected

zohocorp

manageengine_netflow_analyzer

CWE

CWE-284

Improper Access Control

{"id": "CVE-2015-2959", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2015-06-09T00:59:01.353", "references": [{"url": "http://jvn.jp/en/jp/JVN25598413/index.html", "tags": ["Vendor Advisory"], "source": "vultures@jpcert.or.jp"}, {"url": "http://jvndb.jvn.jp/jvndb/JVNDB-2015-000075", "tags": ["Vendor Advisory"], "source": "vultures@jpcert.or.jp"}, {"url": "http://www.securityfocus.com/bid/75065", "source": "vultures@jpcert.or.jp"}, {"url": "http://www.securitytracker.com/id/1032516", "source": "vultures@jpcert.or.jp"}, {"url": "https://support.zoho.com/portal/manageengine/helpcenter/articles/vulnerability-fix-for-fails-to-restrict-access-permissions-cross-site-scripting-cross-site-request-forgery-over-build-10250", "tags": ["Patch", "Vendor Advisory"], "source": "vultures@jpcert.or.jp"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-284"}]}], "descriptions": [{"lang": "en", "value": "Zoho NetFlow Analyzer build 10250 and earlier does not check for administrative authorization, which allows remote attackers to obtain sensitive information, modify passwords, or remove accounts by leveraging the guest role."}, {"lang": "es", "value": "Zoho NetFlow Analyzer build 10250 y anteriores no comprueba para la autorizaci\u00f3n administrativa, lo que permite a atacantes remotos obtener informaci\u00f3n sensible, modificar contrase\u00f1as o eliminar cuentas mediante el aprovechamiento del role de invitado."}], "lastModified": "2016-12-31T02:59:25.937", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:zohocorp:manageengine_netflow_analyzer:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0940949F-4EB4-460B-8CE9-56B6387250F3"}], "operator": "OR"}]}], "sourceIdentifier": "vultures@jpcert.or.jp"}