Vulnerabilities in Reports module

This document will explain you about the vulnerabilities in Desktop Central's Reports module and the incorrect file path error. All of them were reported by Tom Ellson.

What were the problems?

  1. A Desktop Central user, who has complete access to the Reports module of Desktop Central, can use commands that help in RCE.
  2. File Path error during product startup.
  3. From the Reports page, Desktop Central users were able to view the sensitive data present in the database

How were the problems resolved?

  1. The access level for the Reports module to all the Desktop Central users has been downgraded to Read-Only.
  2. An executable file from the batch files (with a properly defined path) is invoked when the Desktop Central server is started or stopped.
  3. From now on, no Desktop Central user will be able to view sensitive tables.

How do I fix it?

 This has been identified and fixed in Desktop Central build 10.0.662 and released on 03-May-2021. To apply this fix, follow these steps below:

  • Log in to your Desktop Central console, click on your current build number on the top right corner.
  • You can find the latest build applicable to you. Download the PPM and update.

Keywords: Security Updates, Vulnerabilities and Fixes.