Описание
In ManageEngine Applications Manager 12 and 13 before build 13200, an authenticated user is able to alter all of their own properties, including own group, i.e. changing their group to one with higher privileges like "ADMIN". A user is also able to change properties of another user, e.g. change another user's password.
Ссылки
- Mailing ListThird Party Advisory
- Vendor Advisory
- Third Party AdvisoryVDB Entry
- Mailing ListThird Party Advisory
- Vendor Advisory
- Third Party AdvisoryVDB Entry
Уязвимые конфигурации
Конфигурация 1
Одно из
cpe:2.3:a:zohocorp:manageengine_applications_manager:12.0:*:*:*:*:*:*:*
cpe:2.3:a:zohocorp:manageengine_applications_manager:13.0:*:*:*:*:*:*:*
EPSS
Процентиль: 52%
0.00285
Низкий
8.8 High
CVSS3
4 Medium
CVSS2
Дефекты
CWE-269
CWE-255
Связанные уязвимости
CVSS3: 8.8
github
больше 3 лет назад
In ManageEngine Applications Manager 12 and 13 before build 13200, an authenticated user is able to alter all of their own properties, including own group, i.e. changing their group to one with higher privileges like "ADMIN". A user is also able to change properties of another user, e.g. change another user's password.
EPSS
Процентиль: 52%
0.00285
Низкий
8.8 High
CVSS3
4 Medium
CVSS2
Дефекты
CWE-269
CWE-255