Main Vulnerability Database Vulnerabilities #VU15152

#VU15152 Improper access control in Zoho ManageEngine Desktop Central - CVE-2018-13412,CVE-2018-13411

Published: October 3, 2018

Vulnerability identifier: #VU15152

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Clear

CVE-ID: CVE-2018-13412,CVE-2018-13411

CWE-ID: CWE-284

Exploitation vector: Local access

Exploit availability: No public exploit available

Vulnerable software:
Zoho ManageEngine Desktop Central

Software vendor:
Zoho Corporation

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to insecure implementation of the administrative functionality within the Self Service Portal on systems installed with Desktop Central Agent. A local unprivileged user can run the "dcagenttrayicon.exe" application with "-ssp" parameter and gain access to Windows command prompt with SYSTEM privileges.

Remediation

Install updates from vendor's website.

#VU15152 Improper access control in Zoho ManageEngine Desktop Central - CVE-2018-13412,CVE-2018-13411

Description

Remediation

External links

Please verify you're human