PT-2020-2708 · Zoho · Manageengine Desktop Central

Published

2020-05-05

Updated

2020-05-12

CVE-2020-10859

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions ManageEngine Desktop Central versions prior to 10.0.484

Description The issue is related to a lack of restrictions on uploading files of unsafe types in ManageEngine Desktop Central. This can be exploited by a remote attacker to upload a specially crafted malicious ZIP file, potentially allowing for arbitrary file writes during ZIP archive extraction via Directory Traversal in a crafted AppDependency API request.

Recommendations For versions prior to 10.0.484, update to version 10.0.484 or later to resolve the issue. As a temporary workaround, consider restricting access to the AppDependency API request to minimize the risk of exploitation. Avoid using the AppDependency API to upload ZIP files until the issue is resolved.

Fix

Unrestricted File Upload

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-434CWE-22

Related Identifiers

BDU:2020-02784

CVE-2020-10859

Affected Products

Manageengine Desktop Central

PT-2020-2708 · Zoho · Manageengine Desktop Central

CVE-2020-10859

Weakness Enumeration

Related Identifiers

Affected Products

References · 5