PT-2011-11: Arbitary Files Reading in ManageEngine ServiceDesk Plus 8.0 Vulnerable softwareManageEngine ServiceDesk Plus Version: 8.0 and earlierApplication link: http://www.servicedeskplus.comSeverity levelSeverity level: High Impact: Arbitary Files Reading Access Vector: Remote CVSS v2: Base Score: 7.8 Vector: (AV:N/AC:L/Au:N/C:C/I:N/A:N)CVE: not assign Software description ManageEngine ServiceDesk Plus is a technical support and assests management system.Vulnerability descriptionThe specialists of the Positive Research center have detected "Arbitary Files Reading" vulnerability in ManageEngine ServiceDesk Plus.Insufficient input filtering in file loading script allows unauthorized users to conduct traversal attack and load arbitrary files from a partition with ServiceDesk application.How to fix Update your software up to the latest versionAdvisory status 24.06.2011 - Vendor is notified 28.06.2011 - Vendor gets vulnerability details 23.04.2012 - Vendor releases fixed version and details 13.09.2012 - Public disclosureCreditsThe vulnerabilities has discovered by Dmitry Evteev, Positive Research Center (Positive Technologies Company)Referenceshttp://en.securitylab.ru/lab/PT-2011-11 Reports on the vulnerabilities previously discovered by Positive Research:http://ptsecurity.com/research/advisory/ http://en.securitylab.ru/lab/