QwikSec

Security Database

CVE

CWE

Training

CVE-2018-12999

Published: Jun 29, 2018

Modified: Aug 5, 2024

PUBLISHED

Description

Incorrect Access Control in AgentTrayIconServlet in Zoho ManageEngine Desktop Central 10.0.255 allows attackers to delete certain files on the web server without login by sending a specially crafted request to the server with a computerName=../ substring to the /agenttrayicon URI.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

http://packetstormsecurity.com/files/148635/Zoho-ManageEngine-13-13790-build-XSS-File-Read-File-Deletion.html

x_refsource_MISC

https://github.com/unh3x/just4cve/issues/9

x_refsource_MISC

20180720 [CVE-2018-12999]Zoho manageengine Desktop Central Arbitrary File Deletion

mailing-list

x_refsource_FULLDISC

http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201807-035

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.