ManageEngine Desktop Central’ın 9.1.0 sürümünde üç adet kritik zafiyet tespit edildi.
Üç kritik zafiyet
CVE-2023-4767: a CRLF injection vulnerability has been found in ManageEngine Desktop Central affecting version 9.1.0. This vulnerability could allow a remote attacker to inject arbitrary HTTP headers and perform HTTP response splitting attacks via the fileName parameter in /STATE_ID/1613157927228/InvSWMetering.csv.
CVE-2023-4768: a CRLF injection vulnerability has been found in ManageEngine Desktop Central affecting version 9.1.0. This vulnerability could allow a remote attacker to inject arbitrary HTTP headers and perform HTTP response splitting attacks via the fileName parameter in /STATE_ID/1613157927228/InvSWMetering.pdf.
CVE-2023-4769: a SSRF vulnerability has been found in ManageEngine Desktop Central affecting version 9.1.0, specifically the /smtpConfig.do component. This vulnerability could allow an authenticated attacker to launch targeted attacks, such as a cross-port attack, service enumeration and other attacks via HTTP requests.
Bu güvenlik açıkları, ManageEngine Desktop Central 9.1.0 sürümünü kullanan kullanıcılar için ciddi bir tehdit oluşturuyor. Bu nedenle en son güvenlik güncellemelerini hemen uygulamaları bilgisayarlarını ve verilerini koruma açısından önemli. Aksi takdirde, bilgisayarlarınız ciddi bir risk altında olabilir.
kaynak: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-manageengine-desktop-central