CVE-2020-10859: Arbitrary File Upload Vulnerability Prevention for Endpoint Central

This document will explain you about the Arbitrary file upload vulnerability CVE-2020-10859 in Endpoint Central that was reported by Wei

What was the problem?

A vulnerability found in ZIP decompressing portion can be exploited by crafting a ZIP file with malicious path. Arbitrary file upload vulnerability in the Windows app dependency file upload functionality allowed authenticated users (with permissions to add apps to the App Repository) to upload any file, without proper validation. This vulnerability has been mitigated and updates have been released for ManageEngine Endpoint Central.

How do I fix it?

This has been identified and fixed in Endpoint Central build version 10.0.484. To apply this fix, follow the steps below:

  1. Log in to your web console, click on your current build number on the top right corner.
  2. You can find the latest build applicable to you. Download the PPM and update.

The issue is not applicable to cloud editions of Endpoint Central, Patch Manager Plus and Remote Access Plus.

Keywords: Security Updates, Vulnerabilities and Fixes.