Unrated severityNVD Advisory· Published Jun 29, 2018· Updated Aug 5, 2024

CVE-2018-12999

Description

Incorrect Access Control in AgentTrayIconServlet in Zoho ManageEngine Desktop Central 10.0.255 allows attackers to delete certain files on the web server without login by sending a specially crafted request to the server with a computerName=../ substring to the /agenttrayicon URI.

Affected products

Manageengine/Desktopcentralinferred
Range: <=10.0.255

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

packetstormsecurity.com/files/148635/Zoho-ManageEngine-13-13790-build-XSS-File-Read-File-Deletion.htmlmitrex_refsource_MISC
seclists.org/fulldisclosure/2018/Jul/74mitremailing-listx_refsource_FULLDISC
www.cnnvd.org.cn/web/xxk/ldxqById.tagmitrex_refsource_MISC
github.com/unh3x/just4cve/issues/9mitrex_refsource_MISC

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.008
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000