Incorrect Access Control in CustomFieldsFeedServlet in Zoho ManageEngine Applications Manager Version 13 before build 13740 allows an attacker to delete any file and read certain files on the server in the context of the user (which by default is "NT AUTHORITY / SYSTEM") by sending a specially crafted request to the server.
Recommended CVSS V3 rating: 10.0 (Critical)
Vector- CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H
- 24th March 2018 - discovered and reported to vendor
- 4th April 2018 - checked again with vendor as there was no response
- 4th April 2018 - vendor acknowledged bug
- 5th June 2018 - vendor publicly acknowledged vulnerability and announced it was fixed at https://www.manageengine.com/products/applications_manager/issues.html
- 6th June 2018 - Public Disclosure (CVE-2018-11808)