Lucene search

[email protected]NVD:CVE-2020-24786

HistoryAug 31, 2020 - 3:15 p.m.

CVE-2020-24786

2020-08-3115:15:10

CWE-287

[email protected]

web.nvd.nist.gov

cve-2020-24786

zoho manageengine

exchange reporter plus

ad360

adselfservice plus

datasecurity plus

recovermanager plus

eventlog analyzer

adaudit plus

o365 manager plus

cloud security plus

admanager plus

log360

java servlet

authentication bypass

system compromise

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.5

Confidence

High

EPSS

0.024

Percentile

90.0%

JSON

An issue was discovered in Zoho ManageEngine Exchange Reporter Plus before build number 5510, AD360 before build number 4228, ADSelfService Plus before build number 5817, DataSecurity Plus before build number 6033, RecoverManager Plus before build number 6017, EventLog Analyzer before build number 12136, ADAudit Plus before build number 6052, O365 Manager Plus before build number 4334, Cloud Security Plus before build number 4110, ADManager Plus before build number 7055, and Log360 before build number 5166. The remotely accessible Java servlet com.manageengine.ads.fw.servlet.UpdateProductDetails is prone to an authentication bypass. System integration properties can be modified and lead to full ManageEngine suite compromise.

Affected configurations

Nvd

Node

zohocorpmanageengine_adselfservice_plusRange≤5.7

zohocorpmanageengine_adselfservice_plusMatch5.8-

zohocorpmanageengine_adselfservice_plusMatch5.85800

zohocorpmanageengine_adselfservice_plusMatch5.85801

zohocorpmanageengine_adselfservice_plusMatch5.85802

zohocorpmanageengine_adselfservice_plusMatch5.85803

zohocorpmanageengine_adselfservice_plusMatch5.85804

zohocorpmanageengine_adselfservice_plusMatch5.85805

zohocorpmanageengine_adselfservice_plusMatch5.85806

zohocorpmanageengine_adselfservice_plusMatch5.85807

zohocorpmanageengine_adselfservice_plusMatch5.85808

zohocorpmanageengine_adselfservice_plusMatch5.85809

zohocorpmanageengine_adselfservice_plusMatch5.85810

zohocorpmanageengine_adselfservice_plusMatch5.85811

zohocorpmanageengine_adselfservice_plusMatch5.85812

zohocorpmanageengine_adselfservice_plusMatch5.85813

zohocorpmanageengine_adselfservice_plusMatch5.85814

zohocorpmanageengine_adselfservice_plusMatch5.85815

zohocorpmanageengine_adselfservice_plusMatch5.85816

Node

zohocorpmanageengine_exchange_reporter_plusRange≤5.4

zohocorpmanageengine_exchange_reporter_plusMatch5.55500

zohocorpmanageengine_exchange_reporter_plusMatch5.55501

zohocorpmanageengine_exchange_reporter_plusMatch5.55502

zohocorpmanageengine_exchange_reporter_plusMatch5.55503

zohocorpmanageengine_exchange_reporter_plusMatch5.55504

Node

zohocorpmanageengine_ad360Range≤4.1

zohocorpmanageengine_ad360Match4.24200

zohocorpmanageengine_ad360Match4.24201

zohocorpmanageengine_ad360Match4.24202

zohocorpmanageengine_ad360Match4.24203

zohocorpmanageengine_ad360Match4.24204

zohocorpmanageengine_ad360Match4.24205

zohocorpmanageengine_ad360Match4.24206

zohocorpmanageengine_ad360Match4.24207

zohocorpmanageengine_ad360Match4.24208

zohocorpmanageengine_ad360Match4.24209

zohocorpmanageengine_ad360Match4.24210

zohocorpmanageengine_ad360Match4.24212

zohocorpmanageengine_ad360Match4.24213

zohocorpmanageengine_ad360Match4.24214

zohocorpmanageengine_ad360Match4.24215

zohocorpmanageengine_ad360Match4.24216

zohocorpmanageengine_ad360Match4.24217

zohocorpmanageengine_ad360Match4.24219

zohocorpmanageengine_ad360Match4.24220

zohocorpmanageengine_ad360Match4.24222

zohocorpmanageengine_ad360Match4.24223

zohocorpmanageengine_ad360Match4.24224

zohocorpmanageengine_ad360Match4.24225

zohocorpmanageengine_ad360Match4.24227

Node

zohocorpmanageengine_datasecurity_plusRange≤5.0

zohocorpmanageengine_datasecurity_plusMatch6.06000

zohocorpmanageengine_datasecurity_plusMatch6.06001

zohocorpmanageengine_datasecurity_plusMatch6.06002

zohocorpmanageengine_datasecurity_plusMatch6.06003

zohocorpmanageengine_datasecurity_plusMatch6.06010

zohocorpmanageengine_datasecurity_plusMatch6.06011

zohocorpmanageengine_datasecurity_plusMatch6.06012

zohocorpmanageengine_datasecurity_plusMatch6.06013

zohocorpmanageengine_datasecurity_plusMatch6.06020

zohocorpmanageengine_datasecurity_plusMatch6.06021

zohocorpmanageengine_datasecurity_plusMatch6.06030

zohocorpmanageengine_datasecurity_plusMatch6.06031

zohocorpmanageengine_datasecurity_plusMatch6.06032

Node

zohocorpmanageengine_recovermanager_plusRange≤5.4

zohocorpmanageengine_recovermanager_plusMatch6.06001

zohocorpmanageengine_recovermanager_plusMatch6.06003

zohocorpmanageengine_recovermanager_plusMatch6.06005

zohocorpmanageengine_recovermanager_plusMatch6.06011

zohocorpmanageengine_recovermanager_plusMatch6.06016

Node

zohocorpmanageengine_eventlog_analyzerRange≤12.1.2

zohocorpmanageengine_eventlog_analyzerMatch12.1.312130

zohocorpmanageengine_eventlog_analyzerMatch12.1.312135

Node

zohocorpmanageengine_adaudit_plusRange≤5.1

zohocorpmanageengine_adaudit_plusMatch6.06000

zohocorpmanageengine_adaudit_plusMatch6.06001

zohocorpmanageengine_adaudit_plusMatch6.06002

zohocorpmanageengine_adaudit_plusMatch6.06003

zohocorpmanageengine_adaudit_plusMatch6.06010

zohocorpmanageengine_adaudit_plusMatch6.06030

zohocorpmanageengine_adaudit_plusMatch6.06031

zohocorpmanageengine_adaudit_plusMatch6.06032

zohocorpmanageengine_adaudit_plusMatch6.06033

zohocorpmanageengine_adaudit_plusMatch6.06050

zohocorpmanageengine_adaudit_plusMatch6.06052

Node

zohocorpmanageengine_o365_manager_plusRange≤4.2

zohocorpmanageengine_o365_manager_plusMatch4.34300

zohocorpmanageengine_o365_manager_plusMatch4.34301

zohocorpmanageengine_o365_manager_plusMatch4.34302

zohocorpmanageengine_o365_manager_plusMatch4.34303

zohocorpmanageengine_o365_manager_plusMatch4.34304

zohocorpmanageengine_o365_manager_plusMatch4.34305

zohocorpmanageengine_o365_manager_plusMatch4.34306

zohocorpmanageengine_o365_manager_plusMatch4.34308

zohocorpmanageengine_o365_manager_plusMatch4.34309

zohocorpmanageengine_o365_manager_plusMatch4.34310

zohocorpmanageengine_o365_manager_plusMatch4.34311

zohocorpmanageengine_o365_manager_plusMatch4.34312

zohocorpmanageengine_o365_manager_plusMatch4.34316

zohocorpmanageengine_o365_manager_plusMatch4.34317

zohocorpmanageengine_o365_manager_plusMatch4.34318

zohocorpmanageengine_o365_manager_plusMatch4.34319

zohocorpmanageengine_o365_manager_plusMatch4.34320

zohocorpmanageengine_o365_manager_plusMatch4.34321

zohocorpmanageengine_o365_manager_plusMatch4.34322

zohocorpmanageengine_o365_manager_plusMatch4.34324

zohocorpmanageengine_o365_manager_plusMatch4.34325

zohocorpmanageengine_o365_manager_plusMatch4.34327

zohocorpmanageengine_o365_manager_plusMatch4.34328

zohocorpmanageengine_o365_manager_plusMatch4.34329

zohocorpmanageengine_o365_manager_plusMatch4.34330

zohocorpmanageengine_o365_manager_plusMatch4.34331

zohocorpmanageengine_o365_manager_plusMatch4.34332

zohocorpmanageengine_o365_manager_plusMatch4.34333

zohocorpmanageengine_o365_manager_plusMatch4.34334

Node

zohocorpmanageengine_cloud_security_plusRange≤4.0

zohocorpmanageengine_cloud_security_plusMatch4.14100

zohocorpmanageengine_cloud_security_plusMatch4.14101

zohocorpmanageengine_cloud_security_plusMatch4.14102

zohocorpmanageengine_cloud_security_plusMatch4.14103

zohocorpmanageengine_cloud_security_plusMatch4.14104

zohocorpmanageengine_cloud_security_plusMatch4.14105

zohocorpmanageengine_cloud_security_plusMatch4.14106

zohocorpmanageengine_cloud_security_plusMatch4.14107

zohocorpmanageengine_cloud_security_plusMatch4.14108

zohocorpmanageengine_cloud_security_plusMatch4.14109

Node

zohocorpmanageengine_admanager_plusRange≤6.6

zohocorpmanageengine_admanager_plusMatch7.07000

zohocorpmanageengine_admanager_plusMatch7.07010

zohocorpmanageengine_admanager_plusMatch7.07011

zohocorpmanageengine_admanager_plusMatch7.07020

zohocorpmanageengine_admanager_plusMatch7.07030

zohocorpmanageengine_admanager_plusMatch7.07040

zohocorpmanageengine_admanager_plusMatch7.07041

zohocorpmanageengine_admanager_plusMatch7.07050

zohocorpmanageengine_admanager_plusMatch7.07051

zohocorpmanageengine_admanager_plusMatch7.07052

zohocorpmanageengine_admanager_plusMatch7.07053

zohocorpmanageengine_admanager_plusMatch7.07054

Node

zohocorpmanageengine_log360Range≤5.0

zohocorpmanageengine_log360Match5.15100

zohocorpmanageengine_log360Match5.15102

zohocorpmanageengine_log360Match5.15107

zohocorpmanageengine_log360Match5.15108

zohocorpmanageengine_log360Match5.15110

zohocorpmanageengine_log360Match5.15111

zohocorpmanageengine_log360Match5.15120

zohocorpmanageengine_log360Match5.15150

zohocorpmanageengine_log360Match5.15154

zohocorpmanageengine_log360Match5.15155

zohocorpmanageengine_log360Match5.15160

zohocorpmanageengine_log360Match5.15164

VendorProductVersionCPE
zohocorpmanageengine_adselfservice_plus*cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:*:*:*:*:*:*:*:*
zohocorpmanageengine_adselfservice_plus5.8cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:-:*:*:*:*:*:*
zohocorpmanageengine_adselfservice_plus5.8cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5800:*:*:*:*:*:*
zohocorpmanageengine_adselfservice_plus5.8cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5801:*:*:*:*:*:*
zohocorpmanageengine_adselfservice_plus5.8cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5802:*:*:*:*:*:*
zohocorpmanageengine_adselfservice_plus5.8cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5803:*:*:*:*:*:*
zohocorpmanageengine_adselfservice_plus5.8cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5804:*:*:*:*:*:*
zohocorpmanageengine_adselfservice_plus5.8cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5805:*:*:*:*:*:*
zohocorpmanageengine_adselfservice_plus5.8cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5806:*:*:*:*:*:*
zohocorpmanageengine_adselfservice_plus5.8cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5807:*:*:*:*:*:*

Vendor	Product	Version	CPE
zohocorp	manageengine_adselfservice_plus	*	cpe:2.3:a:zohocorp:manageengine_adselfservice_plus::::::::
zohocorp	manageengine_adselfservice_plus	5.8	cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:-::::::
zohocorp	manageengine_adselfservice_plus	5.8	cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5800::::::
zohocorp	manageengine_adselfservice_plus	5.8	cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5801::::::
zohocorp	manageengine_adselfservice_plus	5.8	cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5802::::::
zohocorp	manageengine_adselfservice_plus	5.8	cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5803::::::
zohocorp	manageengine_adselfservice_plus	5.8	cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5804::::::
zohocorp	manageengine_adselfservice_plus	5.8	cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5805::::::
zohocorp	manageengine_adselfservice_plus	5.8	cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5806::::::
zohocorp	manageengine_adselfservice_plus	5.8	cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5807::::::

Rows per page:

1-10 of 1521

References

medium.com/%40frycos/another-zoho-manageengine-story-7b472f1515f5

pitstop.manageengine.com/portal/en/community/topic/admanager-plus-fixes-and-enhancements

pitstop.manageengine.com/portal/en/community/topic/how-to-fix-the-unauthenticated-product-integration-vulnerability

pitstop.manageengine.com/portal/en/community/topic/how-to-fix-the-unauthenticated-product-integration-vulnerability-17-5-2020

pitstop.manageengine.com/portal/en/community/topic/how-to-fix-the-unauthenticated-product-integration-vulnerability-18-5-2020

pitstop.manageengine.com/portal/en/community/topic/how-to-identify-and-mitigate-the-unauthenticated-product-integration-vulnerability

pitstop.manageengine.com/portal/en/community/topic/how-to-identify-and-mitigate-the-unauthenticated-product-integration-vulnerability-15-5-2020-1

pitstop.manageengine.com/portal/en/community/topic/how-to-identify-and-mitigate-the-unauthenticated-product-integration-vulnerability-18-5-2020

pitstop.manageengine.com/portal/en/kb/articles/manageengine-cloud-security-plus-security-advisory-regarding-unauthenticated-product-integration-vulnerability

pitstop.manageengine.com/portal/en/kb/articles/manageengine-log360-security-advisory-regarding-unauthenticated-product-integration-vulnerability

www.manageengine.com/data-security/release-notes.html

www.manageengine.com/products/eventlog/features-new.html

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.5

Confidence

High

EPSS

0.024

Percentile

90.0%

JSON

Related for NVD:CVE-2020-24786

cve1 cvelist1 prion1