This script is Copyright (C) 2013-2016 Tenable Network Security, Inc.
The remote web server contains a Java-based web application that is
affected by a remote code execution vulnerability.
The version of ManageEngine Desktop Central running on the remote host
is affected by a remote code execution vulnerability due to a failure
by the AgentLogUploadServlet script to properly sanitize user-supplied
input to the 'fileName' parameter. A remote, unauthenticated attacker
can exploit this to upload to the remote host files containing
arbitrary code and then execute them with NT-AUTHORITY\SYSTEM
Note that this plugin tries to upload a JSP file to <DocumentRoot>
and then fetch it, thus executing the Java code in the JSP file. The
plugin attempts to delete the JSP file after a successful upload and
fetch. The user is advised to delete the JSP file if Nessus fails to
See also :
Upgrade to ManageEngine Desktop Central 8 build 80293 or later.
Risk factor :
Critical / CVSS Base Score : 10.0
CVSS Temporal Score : 7.8
Public Exploit Available : true
Family: CGI abuses
Nessus Plugin ID: 71217 ()
Bugtraq ID: 63784
CVE ID: CVE-2013-7390
The cookie settings on this website are set to 'allow all cookies' to give you the very best website experience. If you continue without changing these settings, you consent to this - but if you want, you can opt out of all cookies by clicking below.