Prophaze WAF Blog

vulnerability in Zoho ManageEngine Desktop Central before the 07-Mar-2020 - Cloud WAF

Written by Rajaneesh | Mar 12, 2020 11:41:12 AM
Overview :
An XML external entity (XXE) vulnerability in Zoho ManageEngine Desktop Central before the 07-Mar-2020 update allows remote unauthenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request.
Affected Product(s) :
  • XML External Entity (XXE) Vulnerability (CVE-2020-8540)

    This document will explain about the XML External Entity (XXE) (CVE-2020-8540) vulnerability on agent servlet, which was reported by kalimer0x00.

    What was the problem?

    The server parses XML input from the agent periodically to process the data. This attack occurs when there is a reference to external entity, which might be malicious, in the XML file. This may lead to unintended operations and may crash the server.

 

Solution :

How do I fix it?

This was identified and fixed on 07-Mar-2020. To apply this fix, follow the steps below:

  1. Login to your Desktop Central console, click on your current build number on the top-right corner.
  2. Download the latest build that is applicable to you.