Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2019-20474

An issue was discovered in Zoho ManageEngine Remote Access Plus 10.0.447. The service to test the mail-server configuration suffers from an authorization issue allowing a user with the Guest role (read-only access) to use and abuse it. One of the abuses allows performing network and port scan operations of the localhost or the hosts on the same network segment, aka SSRF.

Published

2020-02-17T19:15:12.260

Last Modified

2024-11-21T04:38:34.440

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 4.3 (MEDIUM)

CVSSv2 Vector

AV:N/AC:L/Au:S/C:P/I:N/A:N

Access Vector: NETWORK
Access Complexity: LOW
Authentication: SINGLE
Confidentiality Impact: PARTIAL
Integrity Impact: NONE
Availability Impact: NONE

Exploitability Score

8.0

Impact Score

2.9

Weaknesses

Type: Primary
CWE-918

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	zohocorp	manageengine_remote_access_plus	10.0.447	Yes

References

https://excellium-services.com/cert-xlm-advisory/cve-2019-20474/ Third Party Advisory ([email protected])
https://www.manageengine.com/remote-desktop-management/knowledge-base/authorization-failure.html Vendor Advisory ([email protected])
https://excellium-services.com/cert-xlm-advisory/cve-2019-20474/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.manageengine.com/remote-desktop-management/knowledge-base/authorization-failure.html Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)