CVE-2020-10859: Arbitrary File Upload Vulnerability Prevention for Desktop Central

This document will explain you about the Arbitrary file upload vulnerability CVE-2020-10859 in Desktop Central that was reported by Wei

What was the problem?

A vulnerability found in ZIP decompressing portion can be exploited by crafting a ZIP file with malicious path. Arbitrary file upload vulnerability in the Windows app dependency file upload functionality allowed authenticated users (with permissions to add apps to the App Repository) to upload any file, without proper validation. This vulnerability has been mitigated and updates have been released for ManageEngine Desktop Central.

How do I fix it?

This has been identified and fixed in Desktop Central build version 10.0.484. To apply this fix, follow the steps below:

  1. Log in to your Desktop Central console, click on your current build number on the top right corner.
  2. You can find the latest build applicable to you. Download the PPM and update.

The issue is not applicable to cloud editions of Desktop Central, Patch Manager Plus and Remote Access Plus.

Keywords: Security Updates, Vulnerabilities and Fixes.