Information Disclosure Vulnerability in Zoho ManageEngine EventLog Analyzer
CVE-2019-19774

8.8HIGH

Key Information:

Vendor

Zohocorp
Status
Manageengine Eventlog Analyzer
Vendor
CVE Published:
13 December 2019

What is CVE-2019-19774?

An information disclosure vulnerability exists in Zoho ManageEngine EventLog Analyzer 10.0 SP1 and earlier, which allows attackers to bypass security measures designed to protect sensitive credential data. By executing a specific SQL query at the /event/runquery.do endpoint, even administrative users can retrieve MD5 hashes of authentication accounts stored within the application, including those belonging to administrative users. This flaw circumvents restrictions that typically prevent access to password-related data and poses a significant risk to enterprise security.

References

https://www.manageengine.com/products/eventlog/features-n...
x_refsource_MISC
https://gist.github.com/scottgoodwin90/19ccecdc9f5733c0a9...
x_refsource_MISC
http://packetstormsecurity.com/files/156485/ManageEngine-...
x_refsource_MISC

EPSS Score

25% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.