Vulnerability Description
Incorrect Access Control in CustomFieldsFeedServlet in Zoho ManageEngine Applications Manager Version 13 before build 13740 allows an attacker to delete any file and read certain files on the server in the context of the user (which by default is "NT AUTHORITY / SYSTEM") by sending a specially crafted request to the server.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Zohocorp | Manageengine Applications Manager | 13 |
Related Weaknesses (CWE)
References
- http://www.securityfocus.com/bid/104467Third Party AdvisoryVDB Entry
- https://github.com/kactrosN/publicdisclosuresThird Party Advisory
- https://www.manageengine.com/products/applications_manager/issues.htmlRelease NotesVendor Advisory
- https://www.manageengine.com/products/applications_manager/security-updates/secu
- http://www.securityfocus.com/bid/104467Third Party AdvisoryVDB Entry
- https://github.com/kactrosN/publicdisclosuresThird Party Advisory
- https://www.manageengine.com/products/applications_manager/issues.htmlRelease NotesVendor Advisory
- https://www.manageengine.com/products/applications_manager/security-updates/secu
FAQ
What is CVE-2018-11808?
CVE-2018-11808 is a vulnerability with a CVSS score of 9.1 (CRITICAL). Incorrect Access Control in CustomFieldsFeedServlet in Zoho ManageEngine Applications Manager Version 13 before build 13740 allows an attacker to delete any file and read certain files on the server i...
How severe is CVE-2018-11808?
CVE-2018-11808 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2018-11808?
Check the references section above for vendor advisories and patch information. Affected products include: Zohocorp Manageengine Applications Manager.