CVE-2018-13412 — Incorrect Permission Assignment in Manageengine Desktop Central

CWE-732 — Incorrect Permission Assignment3 documents3 sources

Severity

7.8HIGHNVD

EPSS

0.1%

top 80.12%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Zohocorp Manageengine Desktop Central

Timeline

PublishedSep 12

Latest updateMay 13

Description

An issue was discovered in the Self Service Portal in Zoho ManageEngine Desktop Central before 10.0.282. A clickable company logo in a window running as SYSTEM can be abused to escalate privileges. In cloud, the issue is fixed in 10.0.470 agent version.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages1 packages

▶NVDzohocorp/manageengine_desktop_central< 10.0.282

🔴Vulnerability Details

GHSA

GHSA-jcxw-q3cp-p5r4: An issue was discovered in the Self Service Portal in Zoho ManageEngine Desktop Central before 10↗2022-05-13

▶

CVEList

CVE-2018-13412: An issue was discovered in the Self Service Portal in Zoho ManageEngine Desktop Central before 10↗2018-09-12

▶