This page contains a list of all security vulnerabilities fixed in NetFlow Analyzer along with its CVE ID and fixed build number. Go to ManageEngine's Security Response Center to report vulnerabilities on ManageEngine products.
| CVE ID | Synopsis | Severity | Fixed in version | Link to latest build |
|---|---|---|---|---|
| CVE-2023-47211 | Earlier, path traversal vulnerability was detected for MIB browser. This issue has now been fixed by implementing path sanitization. | High | 127260 / 127248 / 127193 / 127142 | Download |
| CVE-2022-37024 | Earlier, there was a Remote Code Execution (RCE) vulnerability in IPv6 address management reported by an anonymous working with Trend Micro Zero Day Initiative. This has been fixed now. | Critical | 126120 / 126105 / 126003 / 125658 | |
| CVE-2022-38772 | Earlier, there was a Remote Code Execution (RCE) vulnerability in IPv4 address management reported by an anonymous working with Trend Micro Zero Day Initiative. This has been fixed now. | Critical | 126120 / 126105 / 126003 / 125658 | |
| CVE-2022-36923 | A vulnerability resulted in unauthenticated access of the user API key. This issue has been fixed now. (Reported by Anonymous working with Trend Micro Zero Day Initiative) | Critical | 126118 / 126104 / 126002 / 125657 | |
| CVE-2022-35404 | Unauthorized creation of files lead to high resource consumption. This has been fixed now.(Reported by Tenable) | Medium | 125639/ 125655/ 126101 | |
| CVE-2022-24703 | Earlier, there was a stored XSS vulnerability in the Schedule name field of Schedule page. This issue is fixed now. | Medium | 125584 | |
| Internal | Authentication bypass vulnerability in file import APIs in the NetFlow EE Central Server | High | 125476/125565 | |
| CVE-2021-43319 | Remote Code Execution (RCE) vulnerability in the Ping functionality | High | 125488 | |
| CVE-2021-41075 | SQL Injection in Attacks module API | High | 125464 | |
| CVE-2021-20078 | Folder deletion due to Path Traversal vulnerability in Sparkgateway jar | Critical | 125362, 125332 and 125347 | |
| CVE-2021-3287 | Unauthenticated Remote Code Execution (RCE) vulnerability due to general bypass for the deserialization class. | Critical | 125220 | |
| CVE-2020-12116 | Path Traversal vulnerability | High | 124196/125125 | |
| CVE-2020-11946 | Unauthenticated access to API key disclosure from a servlet call | High | 124188/125120 | |
| CVE-2020-11527 | File read vulnerability in Arbitrary file | High | 124181 | |
| CVE-2020-10541 | Remote Code Execution (RCE) vulnerability in Mail Server Settings v1 APIs | High | 124172 | |
| Internal | XML injection vulnerability in IPGroup bulk load | High | 124168 | |
| CVE-2019-17421 | Incorrect file permissions on the packaged Nipper executable file | Medium | 124079 and 124099 | |
| CVE-2017-11560 | HTML Injection vulnerability | Medium | 124033 | |
| CVE-2019-12196 | SQL Injection vulnerability in Compare reports | High | 124029 | |
| CVE-2008-0128 | Tomcat Vulnerability | Medium | 124024 | |
| CVE-2019-7422, CVE-2019-7423, CVE-2019-7424, CVE-2019-7425, CVE-2019-7426, CVE-2019-7427 | XSS vulnerability in input text boxes in the Reports and Settings page | High | 123323 | |
| CVE-2019-8925, CVE-2019-8926, CVE-2019-8927, CVE-2019-8928, CVE-2019-8929 | Path traversal vulnerability | High | 123323 | |
| Internal | An operator user could access some restricted folders by bypassing the session | High | 123241 | |
| CVE-2018-19403 | Unauthenticated Remote Code Execution (RCE) vulnerability | High | 123231 | |
| CVE-2018-12997, CVE-2018-12998 | Arbitrary web script or HTML injection | Medium | 123169 | |
| CVE-2018-10803 | Cross-site Scripting (XSS) in add Credential page | Medium | 123125 |