Command Injection in Zoho ManageEngine ServiceDesk Plus - CVE-2022-40770

 

Command Injection in Zoho ManageEngine ServiceDesk Plus - CVE-2022-40770

Published: November 24, 2022


Vulnerability identifier: #VU69556
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2022-40770
CWE-ID: CWE-77
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Zoho Corporation
Affected software:
Zoho ManageEngine ServiceDesk Plus

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary code on the system.

The vulnerability exists due to improper input validation within the invokeDataUploadTool() function when handling data passed via the fields required to configure the Analytics Plus integration. A remote privileged user can inject and execute arbitrary commands on the system.


How to mitigate CVE-2022-40770

Install updates from vendor's website.

Sources