Directory Traversal Risk in Zoho ManageEngine Analytics Plus
CVE-2020-21642

9.8CRITICAL

Key Information:

Vendor: Zohocorp
Status: Manageengine Analytics Plus
Vendor: CVE Published:; 15 August 2022

What is CVE-2020-21642?

A directory traversal vulnerability exists in the ZDBQAREFSUBDIR parameter of the /zropusermgmt API in Zoho ManageEngine Analytics Plus, prior to version 4350. This weakness allows remote attackers to manipulate file paths, potentially leading to access of arbitrary files and execution of malicious code on the server. Such vulnerabilities can be exploited for various nefarious purposes, including unauthorized data access and system compromise.

References

https://www.manageengine.com/analytics-plus/release-notes...

x_refsource_MISC

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 15, 2022
Vulnerability Reserved
Aug 13, 2020

Zohocorp

What is CVE-2020-21642?

References

CVSS V3.1

Timeline