This document will explain you about the Arbitrary file upload vulnerability CVE-2020-10859 in Desktop Central that was reported by Wei.
A vulnerability found in ZIP decompressing portion can be exploited by crafting a ZIP file with malicious path. Arbitrary file upload vulnerability in the Windows app dependency file upload functionality allowed authenticated users (with permissions to add apps to the App Repository) to upload any file, without proper validation. This vulnerability has been mitigated and updates have been released for ManageEngine Desktop Central.
This has been identified and fixed in Desktop Central build version 10.0.484. To apply this fix, follow the steps below:
The issue is not applicable to cloud editions of Desktop Central, Patch Manager Plus and Remote Access Plus.
Keywords: Security Updates, Vulnerabilities and Fixes.