Lucene search

[email protected]CVE-2020-24786

HistoryAug 31, 2020 - 3:15 p.m.

CVE-2020-24786

2020-08-3115:15:00

CWE-287

[email protected]

web.nvd.nist.gov

cve-2020-24786

zoho manageengine

exchange reporter plus

ad360

adselfservice plus

datasecurity plus

recovermanager plus

eventlog analyzer

adaudit plus

o365 manager plus

cloud security plus

admanager plus

log360

java servlet

authentication bypass

system integration

vulnerability

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

AI Score

Confidence

Low

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.014 Low

EPSS

Percentile

86.4%

JSON

An issue was discovered in Zoho ManageEngine Exchange Reporter Plus before build number 5510, AD360 before build number 4228, ADSelfService Plus before build number 5817, DataSecurity Plus before build number 6033, RecoverManager Plus before build number 6017, EventLog Analyzer before build number 12136, ADAudit Plus before build number 6052, O365 Manager Plus before build number 4334, Cloud Security Plus before build number 4110, ADManager Plus before build number 7055, and Log360 before build number 5166. The remotely accessible Java servlet com.manageengine.ads.fw.servlet.UpdateProductDetails is prone to an authentication bypass. System integration properties can be modified and lead to full ManageEngine suite compromise.

CPENameOperatorVersion
zohocorp:manageengine_adselfservice_pluszohocorp manageengine adselfservice pluseq5.8
zohocorp:manageengine_adselfservice_pluszohocorp manageengine adselfservice plusle5.7
zohocorp:manageengine_exchange_reporter_pluszohocorp manageengine exchange reporter plusle5.4
zohocorp:manageengine_exchange_reporter_pluszohocorp manageengine exchange reporter pluseq5.5
zohocorp:manageengine_ad360zohocorp manageengine ad360le4.1
zohocorp:manageengine_ad360zohocorp manageengine ad360eq4.2
zohocorp:manageengine_datasecurity_pluszohocorp manageengine datasecurity plusle5.0
zohocorp:manageengine_datasecurity_pluszohocorp manageengine datasecurity pluseq6.0
zohocorp:manageengine_recovermanager_pluszohocorp manageengine recovermanager plusle5.4
zohocorp:manageengine_recovermanager_pluszohocorp manageengine recovermanager pluseq6.0

CPE	Name	Operator	Version
zohocorp:manageengine_adselfservice_plus	zohocorp manageengine adselfservice plus	eq	5.8
zohocorp:manageengine_adselfservice_plus	zohocorp manageengine adselfservice plus	le	5.7
zohocorp:manageengine_exchange_reporter_plus	zohocorp manageengine exchange reporter plus	le	5.4
zohocorp:manageengine_exchange_reporter_plus	zohocorp manageengine exchange reporter plus	eq	5.5
zohocorp:manageengine_ad360	zohocorp manageengine ad360	le	4.1
zohocorp:manageengine_ad360	zohocorp manageengine ad360	eq	4.2
zohocorp:manageengine_datasecurity_plus	zohocorp manageengine datasecurity plus	le	5.0
zohocorp:manageengine_datasecurity_plus	zohocorp manageengine datasecurity plus	eq	6.0
zohocorp:manageengine_recovermanager_plus	zohocorp manageengine recovermanager plus	le	5.4
zohocorp:manageengine_recovermanager_plus	zohocorp manageengine recovermanager plus	eq	6.0

Rows per page:

1-10 of 221

References

medium.com/%40frycos/another-zoho-manageengine-story-7b472f1515f5

pitstop.manageengine.com/portal/en/community/topic/admanager-plus-fixes-and-enhancements

pitstop.manageengine.com/portal/en/community/topic/how-to-fix-the-unauthenticated-product-integration-vulnerability

pitstop.manageengine.com/portal/en/community/topic/how-to-fix-the-unauthenticated-product-integration-vulnerability-17-5-2020

pitstop.manageengine.com/portal/en/community/topic/how-to-fix-the-unauthenticated-product-integration-vulnerability-18-5-2020

pitstop.manageengine.com/portal/en/community/topic/how-to-identify-and-mitigate-the-unauthenticated-product-integration-vulnerability

pitstop.manageengine.com/portal/en/community/topic/how-to-identify-and-mitigate-the-unauthenticated-product-integration-vulnerability-15-5-2020-1

pitstop.manageengine.com/portal/en/community/topic/how-to-identify-and-mitigate-the-unauthenticated-product-integration-vulnerability-18-5-2020

pitstop.manageengine.com/portal/en/kb/articles/manageengine-cloud-security-plus-security-advisory-regarding-unauthenticated-product-integration-vulnerability

pitstop.manageengine.com/portal/en/kb/articles/manageengine-log360-security-advisory-regarding-unauthenticated-product-integration-vulnerability

www.manageengine.com/data-security/release-notes.html

www.manageengine.com/products/eventlog/features-new.html

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

AI Score

Confidence

Low

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.014 Low

EPSS

Percentile

86.4%

JSON

Related for CVE-2020-24786

prion1 cvelist1