CVE-2015-8249

Name of the Vulnerable Software and Affected Versions ManageEngine Desktop Central versions prior to 9 build 91093

Description The issue is related to the FileUploadServlet class in ManageEngine Desktop Central, which lacks restrictions on file uploads. This can be exploited by a remote, unauthenticated attacker to upload and execute arbitrary files in the context of SYSTEM by injecting a null byte at the end of the ConnectionId parameter value.

Recommendations For ManageEngine Desktop Central versions prior to 9 build 91093, update to build 91093 or later to resolve the issue. As a temporary workaround, consider restricting access to the FileUploadServlet class until a patch is applied. Avoid using the ConnectionId parameter in the affected API endpoint until the issue is resolved.