Vulnerabilities in Reports Module
This document will explain you about the vulnerabilities in Endpoint Central's Reports module and the incorrect file path error.
What were the problems?
- A user, who has complete access to the Reports module of Endpoint Central, can use commands that help in RCE.
- File path error during product startup.
- From the Reports page, users were able to view the sensitive data present in the database
How were the problems resolved?
- The access level for the Reports module to all the users has been downgraded to Read-Only.
- An executable file from the batch files (with a properly defined path) is invoked when the Endpoint Central server is started or stopped.
- From now on, no user will be able to view sensitive tables.
How do I fix it?
This has been identified and fixed in Endpoint Central build 10.0.662 and released on 03-May-2021. To apply this fix, follow these steps below:
- Log in to your web console, click on your current build number on the top right corner.
- You can find the latest build applicable to you. Download the PPM and update.
For any further queries on this, please reach out to Endpoint Central support at firstname.lastname@example.org.
Note: This vulnerability is not applicable to the cloud edition of Endpoint Central.