This script is Copyright (C) 2013-2016 Tenable Network Security, Inc.
The remote web server contains a Java-based web application that is
affected by a remote code execution vulnerability.
The version of ManageEngine Desktop Central running on the remote host
is affected by a remote code execution vulnerability due to a failure
by the AgentLogUploadServlet script to properly sanitize user-supplied
input to the 'fileName' parameter. A remote, unauthenticated attacker
can exploit this to upload to the remote host files containing
arbitrary code and then execute them with NT-AUTHORITY\SYSTEM
Note that this plugin tries to upload a JSP file to <DocumentRoot>
and then fetch it, thus executing the Java code in the JSP file. The
plugin attempts to delete the JSP file after a successful upload and
fetch. The user is advised to delete the JSP file if Nessus fails to
See also :
Upgrade to ManageEngine Desktop Central 8 build 80293 or later.
Risk factor :
Critical / CVSS Base Score : 10.0
CVSS Temporal Score : 7.8
Public Exploit Available : true