Lucene search
Piotr Bazydlo (@chudypb) of Trend Micro Zero Day InitiativeZDI-22-1611HistoryNov 21, 2022 - 12:00 a.m.
ManageEngine ServiceDesk Plus invokeDataUploadTool Command Injection Remote Code Execution Vulnerability
2022-11-2100:00:00
Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative
www.zerodayinitiative.com
17
vulnerability
manageengine
servicedesk plus
command injection
remote execution
authentication
system call
EPSS
0.002
Percentile
57.3%
This vulnerability allows remote attackers to execute arbitrary code on affected installations of ManageEngine ServiceDesk Plus. Authentication is required to exploit this vulnerability. The specific flaw exists within the invokeDataUploadTool function. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.
Related
prion
prion
Command injection
2022-11-23 03:15:00
cvelist
cvelist
CVE-2022-40770
2022-11-23 00:00:00
nessus
nessus
ManageEngine ServiceDesk Plus < 13.0 Build 13011 RCE
2022-12-02 00:00:00
ManageEngine ServiceDesk Plus MSP < 13.0 Build 13000 RCE
2022-12-02 00:00:00
ManageEngine SupportCenter Plus < 11.0 Build 11026 Multiple Vulnerabilities
2022-12-02 00:00:00
nvd
nvd
CVE-2022-40770
2022-11-23 03:15:10
cve
cve
CVE-2022-40770
2022-11-23 03:15:10