CVE-2020-15589

Опубликовано: 02 окт. 2020

Источник: nvd

CVSS3: 8.1

CVSS2: 6.8

EPSS Низкий

Описание

A design issue was discovered in GetInternetRequestHandle, InternetSendRequestEx and InternetSendRequestByBitrate in the client side of Zoho ManageEngine Desktop Central 10.0.552.W and Remote Access Plus before 10.1.2119.1. By exploiting this issue, an attacker-controlled server can force the client to skip TLS certificate validation, leading to a man-in-the-middle attack against HTTPS and unauthenticated remote code execution.

Ссылки

https://www.manageengine.com/products/desktop-central/
Product
Vendor Advisory
https://www.manageengine.com/products/desktop-central/untrusted-agent-server-communication.html
Vendor Advisory
https://www.manageengine.com/products/desktop-central/
Product
Vendor Advisory
https://www.manageengine.com/products/desktop-central/untrusted-agent-server-communication.html
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:zohocorp:manageengine_desktop_central:10.0.552.w:*:*:*:*:*:*:*

cpe:2.3:a:zohocorp:manageengine_remote_access_plus:*:*:*:*:*:*:*:*

Версия до 10.1.2119.1 (исключая)

EPSS

Процентиль: 87%

0.03581

Низкий

8.1 High

CVSS3

6.8 Medium

CVSS2

Дефекты

NVD-CWE-Other

Связанные уязвимости

GHSA-428v-vxh3-r3c8

github

больше 3 лет назад

A design issue was discovered in GetInternetRequestHandle, InternetSendRequestEx and InternetSendRequestByBitrate in the client side of Zoho ManageEngine Desktop Central 10.0.552.W. By exploiting this issue, an attacker-controlled server can force the client to skip TLS certificate validation, leading to a man-in-the-middle attack against HTTPS and unauthenticated remote code execution.