Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
N/A
Vulnerability Description
An issue in Aranda Service Desk Web Edition (ASDK API 8.6) allows authenticated attackers to achieve remote code execution due to improper validation of uploaded files. An authenticated user can upload a crafted web.config file by sending a crafted POST request to /ASDKAPI/api/v8.6/item/addfile, which is processed by the ASP.NET runtime. The uploaded configuration file alters the execution context of the upload directory, enabling compilation and execution of attacker-controlled code (e.g., generation of an .aspx webshell). This allows remote command execution on the server without user interaction beyond authentication, impacting both On-Premise and SaaS deployments. The vendor has fixed the issue in Aranda Service Desk V8 8.30.6.
CVSS Information
N/A
Vulnerability Type
N/A
Vulnerability Title
Aranda Service Desk Web Edition 安全漏洞
Vulnerability Description
Aranda Service Desk Web Edition是美国Aranda公司的一个流程管理服务台系统。 Aranda Service Desk Web Edition存在安全漏洞,该漏洞源于上传文件验证不当,可能导致远程代码执行。
CVSS Information
N/A
Vulnerability Type
N/A