|Impact||CVSS V3 rating: 10.0 (Critical)|
|Reported||24 March 2018|
|Fixed||25 May 2018|
|Affected Builds||Till Build 13730|
|Fixed in||Build 13740|
|Overview||Incorrect Access Control in CustomFieldsFeedServlet.|
|Recommended Fix||Upgrade to Applications Manager Version 13740 and above|
Incorrect Access Control in CustomFieldsFeedServlet in ManageEngine Applications Manager Versions before 13740 allows an attacker to delete any file and read certain files on the server in the context of the user (which by default is "NT AUTHORITY / SYSTEM") by sending a specially crafted request to the server.
We recommend that you upgrade to Applications Manager Version 13740 to fix this issue.
Source and Acknowledgements
Other Resources: https://github.com/kactrosN/publicdisclosures