Zohocorp: >> Manageengine Desktop Central >> 10.0.255 Security Vulnerabilities
Zoho ManageEngine Desktop Central before 10.0.483 allows unauthenticated users to access PDFGenerationServlet, leading to sensitive information disclosure.
CVSS Score
7.5
EPSS Score
0.11
Published
2020-03-30
An XML external entity (XXE) vulnerability in Zoho ManageEngine Desktop Central before the 07-Mar-2020 update allows remote unauthenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request.
CVSS Score
9.8
EPSS Score
0.225
Published
2020-03-11
CVE-2020-10189
Zoho ManageEngine Desktop Central before 10.0.474 allows remote code execution because of deserialization of untrusted data in getChartImage in the FileStorage class. This is related to the CewolfServlet and MDMLogUploaderServlet servlets.
Known exploited
CVSS Score
9.8
EPSS Score
0.942
Published
2020-03-06
An issue was discovered in Zoho ManageEngine Desktop Central before 10.0.282. A clickable company logo in a window running as SYSTEM can be abused to escalate privileges. In cloud, the issue is fixed in 10.0.470 agent version.
CVSS Score
8.8
EPSS Score
0.039
Published
2018-09-12
An issue was discovered in the Self Service Portal in Zoho ManageEngine Desktop Central before 10.0.282. A clickable company logo in a window running as SYSTEM can be abused to escalate privileges. In cloud, the issue is fixed in 10.0.470 agent version.
CVSS Score
7.8
EPSS Score
0.001
Published
2018-09-12
An issue was discovered in Zoho ManageEngine Desktop Central before 100230. There is unauthenticated remote access to all log files of a Desktop Central instance containing critical information (private information such as location of enrolled devices, cleartext passwords, patching level, etc.) via a GET request on port 8022, 8443, or 8444.
CVSS Score
9.8
EPSS Score
0.095
Published
2018-07-16
An issue was discovered in Zoho ManageEngine Desktop Central before 100251. By leveraging access to a log file, a context-dependent attacker can obtain (depending on the modules configured) the Base64 encoded Password/Username of AD accounts, the cleartext Password/Username and mail settings of the EAS account (an AD account used to send mail), the cleartext password of recovery_password of Android devices, the cleartext password of account "set", the location of devices enrolled in the platform (with UUID and information related to the name of the person at the location), critical information about all enrolled devices such as Serial Number, UUID, Model, Name, and auth_session_token (usable to spoof a terminal identity on the platform), etc.
CVSS Score
9.8
EPSS Score
0.096
Published
2018-07-16
Incorrect Access Control in AgentTrayIconServlet in Zoho ManageEngine Desktop Central 10.0.255 allows attackers to delete certain files on the web server without login by sending a specially crafted request to the server with a computerName=../ substring to the /agenttrayicon URI.
CVSS Score
7.5
EPSS Score
0.139
Published
2018-06-29
Page 2