Arbitrary File Deletion Vulnerability in Zoho ManageEngine Desktop Central 10.0.255

Arbitrary File Deletion Vulnerability in Zoho ManageEngine Desktop Central 10.0.255

CVE-2018-12999 · MEDIUM Severity

AV:N/AC:L/AU:N/C:N/I:P/A:P

Incorrect Access Control in AgentTrayIconServlet in Zoho ManageEngine Desktop Central 10.0.255 allows attackers to delete certain files on the web server without login by sending a specially crafted request to the server with a computerName=../ substring to the /agenttrayicon URI.

Learn more about our Cis Benchmark Audit For Desktop Software.