Abstract Advisory Information
An issue was discovered in Zoho Application Control Plus before version 10.0.511.
The Element Configuration feature (to configure elements included in the scope of elements managed by the product) allows an attacker to retrieve the entire list of the IP ranges and subnets configured in the product, and consequently obtain information about the cartography of the internal networks to which the product has access.
Authors: Dominique Righetto
Version affected
Name: Application Control Plus
Versions: 10.0.510
Common Vulnerability Scoring System
4.3
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Patches
Versions: 10.0.511
References
patched version: https://www.manageengine.com/application-control/download.html
vendor advisory: https://www.manageengine.com/application-control/kb/privilege-escalation-vulnerability.html
Vulnerability Disclosure Timeline
06/06/2020: Vulnerability identification
09/06/2020: First contact with the vendor
09/06/2020: Acknowledge from the vendor
22/06/2020: Request for update
29/06/2020: Vulnerability fixed but not available yet
06/07/2020: Request for update
06/07/2020: Patch available but vendor ask a grace period before public disclosure
08/07/2020: CVE ID Assigned by MITRE
09/09/2020: Public disclosure