CRITICAL✓ PATCH🇬🇧 English

CVE-2020-24786

CVSS 9.8v3.1pub. 2020-08-31upd. 2024-11-21

An issue was discovered in Zoho ManageEngine Exchange Reporter Plus before build number 5510, AD360 before build number 4228, ADSelfService Plus before build number 5817, DataSecurity Plus before build number 6033, RecoverManager Plus before build number 6017, EventLog Analyzer before build number 12136, ADAudit Plus before build number 6052, O365 Manager Plus before build number 4334, Cloud Security Plus before build number 4110, ADManager Plus before build number 7055, and Log360 before build number 5166. The remotely accessible Java servlet com.manageengine.ads.fw.servlet.UpdateProductDetails is prone to an authentication bypass. System integration properties can be modified and lead to full ManageEngine suite compromise.

oryginał EN
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Zohocorp Manageengine Ad360

    APP
    Zohocorp
    4.2≤ 4.1
  • Zohocorp Manageengine Adaudit Plus

    APP
    Zohocorp
    6.0≤ 5.1
  • Zohocorp Manageengine Admanager Plus

    APP
    Zohocorp
    7.0≤ 6.6
  • Zohocorp Manageengine Adselfservice Plus

    APP
    Zohocorp
    5.8≤ 5.7
  • Zohocorp Manageengine Cloud Security Plus

    APP
    Zohocorp
    4.1≤ 4.0
  • Zohocorp Manageengine Datasecurity Plus

    APP
    Zohocorp
    6.0≤ 5.0
  • Zohocorp Manageengine Eventlog Analyzer

    APP
    Zohocorp
    12.1.3≤ 12.1.2
  • Zohocorp Manageengine Exchange Reporter Plus

    APP
    Zohocorp
    5.5≤ 5.4
  • Zohocorp Manageengine Log360

    APP
    Zohocorp
    5.1≤ 5.0
  • Zohocorp Manageengine O365 Manager Plus

    APP
    Zohocorp
    4.3≤ 4.2
  • Zohocorp Manageengine Recovermanager Plus

    APP
    Zohocorp
    6.0≤ 5.4
🟢
PATCH DOSTĘPNY
Aktualizacja od producenta gotowa. Wdrożenie w ramach standardowego cyklu.
Tagi
Auth Bypass
CWE
Referencje

Powiązane podatności

CVE-2022-47966CRITICAL9.8⚠ KEVten sam produkt

Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code exec...

CVE-2021-40539CRITICAL9.8⚠ KEVten sam produkt

Zoho ManageEngine ADSelfService Plus version 6113 and prior is vulnerable to REST API authentication bypass wi...

CVE-2025-11250CRITICAL9.1PL ✓ten sam produkt

Authentication Bypass w Zohocorp ManageEngine ADSelfService Plus

CVE-2025-3835CRITICAL9.6PL ✓ten sam produkt

RCE w module Content Search aplikacji ManageEngine Exchange Reporter Plus

CVE-2023-48792CRITICAL9.8PL ✓ten sam produkt

SQL Injection w Zoho ManageEngine ADAudit Plus — eksport raportów