ManageEngine Endpoint Central < 11.3.2400.15 , < 11.3.2406.08 Incorrect Authorization vulnerability

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(206714);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/09/09");

  script_cve_id("CVE-2024-38868");
  script_xref(name:"IAVA", value:"2024-A-0539");

  script_name(english:"ManageEngine Endpoint Central < 11.3.2400.15 , < 11.3.2406.08 Incorrect Authorization vulnerability");

  script_set_attribute(attribute:"synopsis", value:
"The remote ManageEngine Endpoint Central host is missing a security update.");
  script_set_attribute(attribute:"description", value:
"The version of ManageEngine Endpoint Central installed on the remote Windows host is either prior to 11.3.2400.15 
or prior to 11.3.2406.08. It is,therefore, affected by an incorrect authorization vulnerability. For more 
information, consult the vendor advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  # https://www.manageengine.com/products/desktop-central/security-updates-ngav.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?6e052dc2");
  script_set_attribute(attribute:"solution", value:
"Upgrade to ManageEngine Endpoint Central versions 11.3.2400.15, 11.3.2406.08 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2024-38868");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2024/04/02");
  script_set_attribute(attribute:"patch_publication_date", value:"2024/04/02");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/09/06");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:zohocorp:manageengine_endpoint_central");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("manageengine_desktop_central_installed.nbin");
  script_require_keys("installed_sw/ManageEngine Desktop Central");

  exit(0);
}

include('vcf.inc');

var app_info = vcf::combined_get_app_info(app:'ManageEngine Desktop Central');

var constraints = [
  { 'fixed_version' : '11.3.2400.15' },
  { 'min_version' : '11.3.2406.00', 'fixed_version' : '11.3.2406.08' }
];

vcf::check_version_and_report(
    app_info:app_info,
    constraints:constraints,
    severity:SECURITY_HOLE
);