Authorization Issue in Zoho ManageEngine Remote Access Plus
CVE-2019-20474

4.3MEDIUM

Key Information:

Vendor: Zohocorp
Status: Manageengine Remote Access Plus
Vendor: CVE Published:; 17 February 2020

What is CVE-2019-20474?

An authorization flaw exists in Zoho ManageEngine Remote Access Plus version 10.0.447, where a user with 'Guest' role privileges is granted access to exploit the mail-server configuration testing service. This vulnerability permits unauthorized operations, such as conducting network and port scans on localhost or devices within the same network segment, thereby facilitating Server Side Request Forgery (SSRF) attacks.

References

https://www.manageengine.com/remote-desktop-management/kn...

x_refsource_MISC

https://excellium-services.com/cert-xlm-advisory/cve-2019...

x_refsource_MISC

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 17, 2020
Vulnerability Reserved
Feb 17, 2020

Zohocorp

What is CVE-2019-20474?

References

CVSS V3.1

Timeline