CVE-2014-5005

Name of the Vulnerable Software and Affected Versions ManageEngine Desktop Central versions prior to 9 build 90055

Description The issue allows remote attackers to execute arbitrary code via a .. (dot dot) in the fileName parameter in an LFU action to statusUpdate. This is a directory traversal vulnerability.

Recommendations For versions prior to 9 build 90055, update to version 9 build 90055 or later to resolve the issue. As a temporary workaround, consider restricting access to the statusUpdateServlet to minimize the risk of exploitation. Avoid using the fileName parameter in the affected API endpoint until the issue is resolved.