DEVO-2022-0005

Affected Products

Remote Desktop Manager 2022.1 and earlier

Change Log

Initial Publication - 2022-06-21

Severity

Medium

Product

Remote Desktop Manager

Fix Version

2022.2

Summary

An arbitrary file write in entry attachments was fixed in Remote Desktop Manager 2022.2

Arbitrary file write via path traversal in entry attachments

Description

Files can be attached to entries in Remote Desktop Manager. Special path characters were not being properly sanitized when constructing the destination path. An attacker could construct a path to write the file in an arbitrary directory when the file is opened.

Remediation and Workarounds

Upgrade to Remote Desktop Manager 2022.2

Severity

Medium - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N

Affected Products

Remote Desktop Manager 2022.1 and earlier

CVE(s)

CVE-2022-33995