CVE-2020-8422

CVE-2020-8422

by Excellium SA

Abstract Advisory Information

An authorization issue was discovered in the Credential Manager feature in Zoho ManageEngine Remote Access Plus before 10.0.450. A user with the Guest role can extract the collection of all defined credentials of remote machines: the credential name, credential type, user name, domain/workgroup name, and description (but not the password).

Authors: Dominique Righetto from Excellium-services company

Version affected

Name: Remote Access Plus
Versions: 10.0.447

Common Vulnerability Scoring System

4.3
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Patches

Fixed in version 10.0.450

References

None

Vulnerability Disclosure Timeline

  • 17/10/2019: Vulnerability discovered
  • 25/10/2019: First Contact to Vendor
  • 08/11/2019: Request for updates
  • 18/11/2019: Request for updates
  • 18/12/2019: Request for updates
  • 03/01/2020: Request for updates
  • 03/01/2020: Vulnerability is fixed and release in progress
  • 27/01/2020: Request for updates
  • 28/01/2020: Patch is available
  • 28/01/2020: Request CVE ID to Mitre
  • 28/01/2020: CVE ID assigned
  • 30/01/2020: Public disclosure
Top