Vulnerabilities in Reports Module

This document will explain you about the vulnerabilities in Endpoint Central's Reports module and the incorrect file path error.

What were the problems?

  1. A user, who has complete access to the Reports module of Endpoint Central, can use commands that help in RCE.
  2. File path error during product startup.
  3. From the Reports page, users were able to view the sensitive data present in the database

How were the problems resolved?

  1. The access level for the Reports module to all the users has been downgraded to Read-Only.
  2. An executable file from the batch files (with a properly defined path) is invoked when the Endpoint Central server is started or stopped.
  3. From now on, no user will be able to view sensitive tables.

How do I fix it?

 This has been identified and fixed in Endpoint Central build 10.0.662 and released on 03-May-2021. To apply this fix, follow these steps below:

  • Log in to your web console, click on your current build number on the top right corner.
  • You can find the latest build applicable to you. Download the PPM and update.

Credits

Tom Ellson

Help

For any further queries on this, please reach out to Endpoint Central support at desktopcentral-support@manageengine.com.

Note: This vulnerability is not applicable to the cloud edition of Endpoint Central.