This security bulletin contains one low risk vulnerability.
CWE-77 - Command injection
Exploit availability: NoDescription
The vulnerability allows a remote user to execute arbitrary code on the system.
The vulnerability exists due to improper input validation within the invokeDataUploadTool() function when handling data passed via the fields required to configure the Analytics Plus integration. A remote privileged user can inject and execute arbitrary commands on the system.
Install updates from vendor's website.Vulnerable software versions
Zoho ManageEngine ServiceDesk Plus: 13.0 13000 - 13.0 13010
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?