This document will explain you about the Arbitrary file upload vulnerability CVE-2020-10859 in Endpoint Central that was reported by Wei.
A vulnerability found in ZIP decompressing portion can be exploited by crafting a ZIP file with malicious path. Arbitrary file upload vulnerability in the Windows app dependency file upload functionality allowed authenticated users (with permissions to add apps to the App Repository) to upload any file, without proper validation. This vulnerability has been mitigated and updates have been released for ManageEngine Endpoint Central.
This has been identified and fixed in Endpoint Central build version 10.0.484. To apply this fix, follow the steps below:
The issue is not applicable to cloud editions of Endpoint Central, Patch Manager Plus and Remote Access Plus.
Keywords: Security Updates, Vulnerabilities and Fixes.