====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN252
_____________________________________________________________________

DATE                : 06/05/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Zoho ManageEngine Desktop Central
                          versions prior to 10.0.484.

=====================================================================
https://www.manageengine.com/products/desktop-central/arbitrary-file-upload-vulnerability.html
_____________________________________________________________________

CVE-2020-10859: Arbitrary File Upload Vulnerability Prevention for
Desktop Central


This document will explain you about the Arbitrary file upload
vulnerability CVE-2020-10859 in Desktop Central that was reported by
Wei.


What was the problem?

A vulnerability found in ZIP decompressing portion can be exploited by
crafting a ZIP file with malicious path. Arbitrary file upload
vulnerability in the Windows app dependency file upload functionality
allowed authenticated users (with permissions to add apps to the App
Repository) to upload any file, without proper validation. This
vulnerability has been mitigated and updates have been released for
ManageEngine Desktop Central.


How do I fix it?

This has been identified and fixed in Desktop Central build version
10.0.484. To apply this fix, follow the steps below:

    Log in to your Desktop Central console, click on your current build
number on the top right corner.

    You can find the latest build applicable to you. Download the PPM
and update.



    Keywords: Security Updates, Vulnerabilities and Fixes.

=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================