Enhanced Scope Security for Technician Roles in Endpoint Central

This document highlights the security update implemented in Endpoint Central to enhance the security of configuration deployments.

Severity: Medium

Fixed build:

For versions 11.3.2400.22 or below, upgrade to version 11.3.2400.25

For versions 11.3.2416.03 or below, upgrade to 11.3.2416.04

Released on: June 2024

Reported by: Jayateertha Guruprasad via Zoho Corp Bug Bounty Program

What was the problem?

Certain API's scope parameters for technicians were misconfigured, allowing technicians to view execution summary of computer configuration beyond their usually designated scope. This issue has now been resolved by implementing proper access control mechanisms.

How do I fix it?

To apply the fix, please follow the steps below:

  1. Login to your Endpoint Central console, click on your current build number on the top right corner.
  2. You'll be able to find the latest build applicable to you. Download the PPM and update.

Note: This vulnerability is applicable for both on-premises and cloud versions.

Help

For any further questions or concerns on this, please write to our support team at endpointcentral-support@manageengine.com