CVE-2020-11532

Опубликовано: 08 мая 2020

Источник: nvd

CVSS3: 9.8

CVSS2: 10

EPSS Высокий

Описание

Zoho ManageEngine DataSecurity Plus prior to 6.0.1 uses default admin credentials to communicate with a DataEngine Xnode server. This allows an attacker to bypass authentication for this server and execute all operations in the context of admin user.

Ссылки

http://packetstormsecurity.com/files/157609/ManageEngine-DataSecurity-Plus-Authentication-Bypass.html
Exploit
Third Party Advisory
VDB Entry
http://seclists.org/fulldisclosure/2020/May/28
Exploit
Mailing List
Third Party Advisory
https://pitstop.manageengine.com/portal/community/topic/upgrade-datasecurity-plus-to-the-build-6013-to-fix-security-issues
Patch
Vendor Advisory
http://packetstormsecurity.com/files/157609/ManageEngine-DataSecurity-Plus-Authentication-Bypass.html
Exploit
Third Party Advisory
VDB Entry
http://seclists.org/fulldisclosure/2020/May/28
Exploit
Mailing List
Third Party Advisory
https://pitstop.manageengine.com/portal/community/topic/upgrade-datasecurity-plus-to-the-build-6013-to-fix-security-issues
Patch
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:zohocorp:manageengine_adaudit_plus:*:*:*:*:*:*:*:*

Версия до 6.0.3 (исключая)

cpe:2.3:a:zohocorp:manageengine_datasecurity_plus:*:*:*:*:*:*:*:*

Версия до 6.0.1 (исключая)

EPSS

Процентиль: 100%

0.89079

Высокий

9.8 Critical

CVSS3

10 Critical

CVSS2

Дефекты

CWE-1188

Связанные уязвимости

GHSA-wrqh-vg7q-4h79

github

больше 3 лет назад