CVE-2019-20474

CVE-2019-20474

by colinelacatena

Abstract Advisory Information

The service to test the mail server configuration suffers from an authorization issue allowing a user with the “Guest” role (read-only access) to use and abuse it. One of the abuses allows performing network and port scan operations of the localhost or the hosts on the same network segment.

Authors: Dominique Righetto from Excellium-services company

Version affected

Name: Remote Access Plus
Versions: 10.0.447

Common Vulnerability Scoring System

4.3
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Patches

Fixed in version 10.0.451

References

https://www.manageengine.com/remote-desktop-management/knowledge-base/authorization-failure.html 

Vulnerability Disclosure Timeline

  • 21/10/2019: vulnerability discovered.
  • 25/10/2019: First Contact to Vendor
  • 29/10/2019: Vendor feedback, investigation running
  • 08/11/2019: Request for updates
  • 18/11/2019: Request for updates
  • 18/12/2019: Request for updates
  • 03/01/2020: Request for updates
  • 03/01/2020: Vulnerability is fixed and release in progress
  • 27/01/2020: Request for updates
  • 17/02/2020: Patch is available
  • 17/02/2020: Request CVE ID to Mitre
  • 17/02/2020: CVE ID assigned
  • 19/02/2020: Public disclosure
Top