CVE-2020-10189
Zoho ManageEngine Desktop Central File Upload Vulnerability
Severity Score
9.8
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
5
*Multiple Sources
Exploited in Wild
Yes
*KEV
Decision
-
*SSVC
Descriptions
Zoho ManageEngine Desktop Central before 10.0.474 allows remote code execution because of deserialization of untrusted data in getChartImage in the FileStorage class. This is related to the CewolfServlet and MDMLogUploaderServlet servlets.
Zoho ManageEngine Desktop Central anterior a la versión 10.0.474 permite la ejecución remota de código debido a la deserialización de datos no seguros en getChartImage en la clase FileStorage. Esto está relacionado con los servlets CewolfServlet y MDMLogUploaderServlet.
Zoho ManageEngine Desktop Central contains a file upload vulnerability that allows for unauthenticated remote code execution.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2020-03-06 CVE Reserved
- 2020-03-06 CVE Published
- 2020-03-17 First Exploit
- 2021-11-03 Exploited in Wild
- 2022-05-03 KEV Due Date
- 2024-08-04 CVE Updated
- 2024-11-21 EPSS Updated
CWE
- CWE-502: Deserialization of Untrusted Data
CAPEC
References (9)
| URL | Tag | Source |
|---|---|---|
| https://cwe.mitre.org/data/definitions/502.html | Third Party Advisory | |
| https://www.zdnet.com/article/zoho-zero-day-published-on-twitter | Third Party Advisory | |
| https://twitter.com/steventseeley/status/1235635108498948096 |
| URL | Date | SRC |
|---|---|---|
| https://www.exploit-db.com/exploits/48224 | 2020-03-17 | |
| https://github.com/zavke/CVE-2020-10189-ManageEngine | 2020-11-12 | |
| http://packetstormsecurity.com/files/156730/ManageEngine-Desktop-Central-Java-Deserialization.html | 2024-08-04 | |
| https://srcincite.io/advisories/src-2020-0011 | 2024-08-04 | |
| https://srcincite.io/pocs/src-2020-0011.py.txt | 2024-08-04 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://www.manageengine.com/products/desktop-central/remote-code-execution-vulnerability.html | 2020-03-05 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Zohocorp Search vendor "Zohocorp" | Manageengine Desktop Central Search vendor "Zohocorp" for product "Manageengine Desktop Central" | < 10.0.479 Search vendor "Zohocorp" for product "Manageengine Desktop Central" and version " < 10.0.479" | - |
Affected
| ||||||