# Security Updates on Vulnerabilities

## Elevation of Privilege

This document lists out and explains the privilege-elevation vulnerabilities that have been reported.

| Serial No. | Vulnerabilities | Fix Released on | Reported by |
|---|---|---|---|
| 1 | CVE-2019-12133 | 30-April-2019 | Hashim Jawad from ACTIVELabs |
| 2 | CVE-2018-13411, CVE-2018-13412 | 23-Aug-2018 | Abdullah AlJaber |
| 3 | CVE-2018-12999 | 26-July-2018 | DBAppSecurity |
| 4 | CVE-2018-5339 and CVE-2018-5340 | 24-April-2018 | NCC Group Security Advisory |
| 5 | CVE-2018-5337, CVE-2018-5338, CVE-2018-5341 | 27-March-2018 | NCC Group Security Advisory |

### What was the problem?

1. Improper permissions of C:\ManageEngine directory which allowed non-privileged users to escalate privileges to NT AUTHORITY\SYSTEM.
2. Unauthorised users whose computer is installed with Endpoint Central Agent were able to access command prompt with SYSTEM privilege.
3. Unauthenticated users were able to delete files from Endpoint Central server machine.
4. Unauthorised users were able to execute queries to alter entries in database.
5. Unauthenticated users were able to:
   - Execute queries (Query type restriction by-pass) on Endpoint Central Server.
   - Execute any web executable throughout the network using directory traversal or file type restriction by-pass.

### How do I fix it?

These vulnerabilities have been identified and fixed. To apply the fix, follow the steps mentioned below:

1. Log in to your Endpoint Central console, click on your current build number on the top right corner.
2. You can find the latest build applicable to you. Download the PPM and update.

**Keywords:** Query Execution, Security Updates, Vulnerabilities and Fixes.

[Knowledge Base](https://www.manageengine.com/products/desktop-central/knowledge-base.html)