CVE-2014-5007

Name of the Vulnerable Software and Affected Versions Zoho ManageEngine Desktop Central versions prior to 9 build 90055 Zoho ManageEngine Desktop Central Managed Service Providers edition versions prior to 9 build 90055

Description A directory traversal issue exists in the agentLogUploader servlet, allowing remote attackers to write to and execute arbitrary files as SYSTEM. This is achieved by including a .. (dot dot) in the filename parameter.

Recommendations For versions prior to 9 build 90055, update to version 9 build 90055 or later to resolve the issue. As a temporary workaround, consider restricting access to the agentLogUploader servlet until a patch is available. Avoid using the filename parameter with untrusted input in the affected servlet until the issue is resolved.