PT-2020-7580 · Manageengine · Zoho Manageengine Desktop Central

Thomas Hibbert

Published

2020-01-27

Updated

2020-02-05

CVE-2013-7390

CVSS v2.0

7.5

High

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions ManageEngine DesktopCentral versions 7.x through 8.0.0 before build 80293

Description The issue allows remote attackers to execute arbitrary code by uploading a file with a .jsp extension, then accessing it via a direct request to the file in the webroot. This is due to an unrestricted file upload vulnerability in the AgentLogUploadServlet.

Recommendations For ManageEngine DesktopCentral versions 7.x through 8.0.0 before build 80293, update to a version that includes build 80293 or later to resolve the issue. As a temporary workaround, consider restricting access to the AgentLogUploadServlet to minimize the risk of exploitation. Avoid allowing uploads of files with .jsp extensions until the issue is resolved.

Exploit

Fix

Unrestricted File Upload

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-434

Related Identifiers

CVE-2013-7390

Affected Products

Zoho Manageengine Desktop Central

PT-2020-7580 · Manageengine · Zoho Manageengine Desktop Central

CVE-2013-7390

Weakness Enumeration

Related Identifiers

Affected Products

References · 7