Insecure Permissions in Zoho's ADManager Plus and ADSelfService Plus Lead to Privilege Escalation
CVE-2019-12876

7.3HIGH

Key Information:

Vendor: Zohocorp
Status: Manageengine Desktop Central; Manageengine Adselfservice Plus; Manageengine Admanager Plus
Vendor: CVE Published:; 17 July 2019

What is CVE-2019-12876?

Certain versions of Zoho's ManageEngine products, including ADManager Plus, ADSelfService Plus, and DesktopCentral, suffer from insecure permissions. This vulnerability allows attackers with low-level privileges to escalate their access to gain system-level privileges, potentially leading to unauthorized access to sensitive data and essential resources. Users should ensure they are running the latest versions and apply any necessary patches to safeguard against this vulnerability.

References

https://www.criticalstart.com/2019/07/manageengine-privil...

x_refsource_MISC

http://www.securityfocus.com/bid/109298

vdb-entryx_refsource_BID

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 17, 2019
Vulnerability Reserved
Jun 18, 2019

Zohocorp

What is CVE-2019-12876?

References

CVSS V3.1

Timeline