Command injection in Zoho ManageEngine ServiceDesk Plus MSP



Published: 2022-11-24
Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2022-40770
CWE-ID CWE-77
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
Zoho ManageEngine ServiceDesk Plus MSP
Server applications / Other server solutions

Vendor Zoho Corporation

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Command Injection

EUVDB-ID: #VU69556

Risk: Low

CVSSv3.1: 6.3 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-40770

CWE-ID: CWE-77 - Command injection

Exploit availability: No

Description

The vulnerability allows a remote user to execute arbitrary code on the system.

The vulnerability exists due to improper input validation within the invokeDataUploadTool() function when handling data passed via the fields required to configure the Analytics Plus integration. A remote privileged user can inject and execute arbitrary commands on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Zoho ManageEngine ServiceDesk Plus MSP: 10500 - 10610

External links

http://www.manageengine.com/products/service-desk/CVE-2022-40770.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###