Cloud Vulnerability DB
A community-led vulnerabilities database
Vulnerability DatabaseCVE-2023-4768
CVE-2023-4768:
Zoho ManageEngine Desktop Central Server vulnerability analysis and mitigation
Overview
A CRLF injection vulnerability (CVE-2023-4768) was discovered in ManageEngine Desktop Central version 9.1.0. The vulnerability was disclosed on November 3, 2023, and affects the software's file handling functionality (INCIBE Advisory, NVD).
Technical details
The vulnerability exists in the fileName parameter handling within the path /STATE_ID/1613157927228/InvSWMetering.pdf. It has been assigned a CVSS v3.1 base score of 6.1 (Medium) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-93 (Improper Neutralization of CRLF Sequences) (INCIBE Advisory).
Impact
If exploited, this vulnerability could allow a remote attacker to inject arbitrary HTTP headers and perform HTTP response splitting attacks through the manipulation of the fileName parameter (INCIBE Advisory).
Mitigation and workarounds
The vulnerability has been fixed in the latest version of Desktop Central. Users are advised to update to the most recent version of the software (INCIBE Advisory).
Additional resources
Source: This report was generated using AI
Related Zoho ManageEngine Desktop Central Server vulnerabilities:
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management