CVE-2018-12999
HIGHZoho ManageEngine Desktop Central 10.0.255 - Unauthenticated Arbitrary File Deletion via AgentTrayIconServlet
Title source: llmDescription
Incorrect Access Control in AgentTrayIconServlet in Zoho ManageEngine Desktop Central 10.0.255 allows attackers to delete certain files on the web server without login by sending a specially crafted request to the server with a computerName=../ substring to the /agenttrayicon URI.
References (4)
Core 4
Core References
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/148635/Zoho-ManageEngine-13-13790-build-XSS-File-Read-File-Deletion.html
Exploit, Third Party Advisory x_refsource_misc
https://github.com/unh3x/just4cve/issues/9
Exploit, Mailing List, Third Party Advisory mailing-list
x_refsource_fulldisc
http://seclists.org/fulldisclosure/2018/Jul/74
Exploit, Third Party Advisory x_refsource_misc
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201807-035
Scores
CVSS v3
7.5
EPSS
0.0966
EPSS Percentile
93.0%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Details
CWE
CWE-20
Status
published
Products (1)
zohocorp/manageengine_desktop_central
10.0.255
Published
Jun 29, 2018
Tracked Since
Feb 18, 2026