by Excellium SA

Abstract Advisory Information

An issue was discovered in Zoho Application Control Plus before version 10.0.511.
The Element Configuration feature (to configure elements included in the scope of elements managed by the product) allows an attacker to retrieve the entire list of the IP ranges and subnets configured in the product, and consequently obtain information about the cartography of the internal networks to which the product has access.

Authors: Dominique Righetto

Version affected

Name: Application Control Plus
Versions: 10.0.510

Common Vulnerability Scoring System



Versions: 10.0.511


patched version:
vendor advisory:

Vulnerability Disclosure Timeline

06/06/2020: Vulnerability identification
09/06/2020: First contact with the vendor
09/06/2020: Acknowledge from the vendor
22/06/2020: Request for update
29/06/2020: Vulnerability fixed but not available yet
06/07/2020: Request for update
06/07/2020: Patch available but vendor ask a grace period before public disclosure
08/07/2020: CVE ID Assigned by MITRE
09/09/2020: Public disclosure