vendor:
Desktop Central
by:
Mohamed Idris
7.5
CVSS
HIGH
Cross-Site Request Forgery (CSRF)
Cross-Site Request Forgery (CSRF)
CWE
Product Name: Desktop Central
Affected Version From: All versions below build 90121
Affected Version To: Unknown
Patch Exists: YES
Related CWE: CVE-2014-9331
CPE: a:manageengine:desktop_central:9
Platforms Tested: Unknown
2014
ManageEngine Desktop Central 9 Add and admin user through Cross-Site Request Forgery (CSRF)
The ManageEngine Desktop Central 9 application is vulnerable to a Cross-Site Request Forgery (CSRF) attack. An authenticated application admin can be tricked into clicking a link that adds a new admin user to the application. The attacker needs to change the IP address in the code to the target server IP address.
Mitigation:
The vendor has provided a vulnerability fix for this issue. It is recommended to update to the latest version of ManageEngine Desktop Central.