Vulnerability Details CVE-2020-24786
An issue was discovered in Zoho ManageEngine Exchange Reporter Plus before build number 5510, AD360 before build number 4228, ADSelfService Plus before build number 5817, DataSecurity Plus before build number 6033, RecoverManager Plus before build number 6017, EventLog Analyzer before build number 12136, ADAudit Plus before build number 6052, O365 Manager Plus before build number 4334, Cloud Security Plus before build number 4110, ADManager Plus before build number 7055, and Log360 before build number 5166. The remotely accessible Java servlet com.manageengine.ads.fw.servlet.UpdateProductDetails is prone to an authentication bypass. System integration properties can be modified and lead to full ManageEngine suite compromise.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.068
EPSS Ranking 90.8%
CVSS Severity
CVSS v3 Score 9.8
CVSS v2 Score 10.0
References
- https://medium.com/%40frycos/another-zoho-manageengine-story-7b472f1515f5
- https://pitstop.manageengine.com/portal/en/community/topic/admanager-plus-fixes-and-enhancements
- https://pitstop.manageengine.com/portal/en/community/topic/how-to-fix-the-unauthenticated-product-integration-vulnerability
- https://pitstop.manageengine.com/portal/en/community/topic/how-to-fix-the-unauthenticated-product-integration-vulnerability-17-5-2020
- https://pitstop.manageengine.com/portal/en/community/topic/how-to-fix-the-unauthenticated-product-integration-vulnerability-18-5-2020
- https://pitstop.manageengine.com/portal/en/community/topic/how-to-identify-and-mitigate-the-unauthenticated-product-integration-vulnerability
- https://pitstop.manageengine.com/portal/en/community/topic/how-to-identify-and-mitigate-the-unauthenticated-product-integration-vulnerability-15-5-2020-1
- https://pitstop.manageengine.com/portal/en/community/topic/how-to-identify-and-mitigate-the-unauthenticated-product-integration-vulnerability-18-5-2020
- https://pitstop.manageengine.com/portal/en/kb/articles/manageengine-cloud-security-plus-security-advisory-regarding-unauthenticated-product-integration-vulnerability
- https://pitstop.manageengine.com/portal/en/kb/articles/manageengine-log360-security-advisory-regarding-unauthenticated-product-integration-vulnerability
- https://www.manageengine.com/data-security/release-notes.html
- https://www.manageengine.com/products/eventlog/features-new.html
- https://medium.com/%40frycos/another-zoho-manageengine-story-7b472f1515f5
- https://pitstop.manageengine.com/portal/en/community/topic/admanager-plus-fixes-and-enhancements
- https://pitstop.manageengine.com/portal/en/community/topic/how-to-fix-the-unauthenticated-product-integration-vulnerability
- https://pitstop.manageengine.com/portal/en/community/topic/how-to-fix-the-unauthenticated-product-integration-vulnerability-17-5-2020
- https://pitstop.manageengine.com/portal/en/community/topic/how-to-fix-the-unauthenticated-product-integration-vulnerability-18-5-2020
- https://pitstop.manageengine.com/portal/en/community/topic/how-to-identify-and-mitigate-the-unauthenticated-product-integration-vulnerability
- https://pitstop.manageengine.com/portal/en/community/topic/how-to-identify-and-mitigate-the-unauthenticated-product-integration-vulnerability-15-5-2020-1
- https://pitstop.manageengine.com/portal/en/community/topic/how-to-identify-and-mitigate-the-unauthenticated-product-integration-vulnerability-18-5-2020
- https://pitstop.manageengine.com/portal/en/kb/articles/manageengine-cloud-security-plus-security-advisory-regarding-unauthenticated-product-integration-vulnerability
- https://pitstop.manageengine.com/portal/en/kb/articles/manageengine-log360-security-advisory-regarding-unauthenticated-product-integration-vulnerability
- https://www.manageengine.com/data-security/release-notes.html
- https://www.manageengine.com/products/eventlog/features-new.html
Products affected by CVE-2020-24786
-
cpe:2.3:a:zohocorp:manageengine_ad360:4.1
-
cpe:2.3:a:zohocorp:manageengine_ad360:4.2
-
cpe:2.3:a:zohocorp:manageengine_adaudit_plus:-
-
cpe:2.3:a:zohocorp:manageengine_adaudit_plus:4.1.0
-
cpe:2.3:a:zohocorp:manageengine_adaudit_plus:4.5.0
-
cpe:2.3:a:zohocorp:manageengine_adaudit_plus:5.0.0
-
cpe:2.3:a:zohocorp:manageengine_adaudit_plus:5.1
-
cpe:2.3:a:zohocorp:manageengine_adaudit_plus:6.0
-
cpe:2.3:a:zohocorp:manageengine_admanager_plus:-
-
cpe:2.3:a:zohocorp:manageengine_admanager_plus:6.1
-
cpe:2.3:a:zohocorp:manageengine_admanager_plus:6.2
-
cpe:2.3:a:zohocorp:manageengine_admanager_plus:6.5.7
-
cpe:2.3:a:zohocorp:manageengine_admanager_plus:6.6
-
cpe:2.3:a:zohocorp:manageengine_admanager_plus:7.0
-
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:4.5
-
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.0
-
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.0.6
-
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.1
-
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.2
-
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3
-
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.4
-
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5
-
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.6
-
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.7
-
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8
-
cpe:2.3:a:zohocorp:manageengine_cloud_security_plus:4.0
-
cpe:2.3:a:zohocorp:manageengine_cloud_security_plus:4.1
-
cpe:2.3:a:zohocorp:manageengine_datasecurity_plus:-
-
cpe:2.3:a:zohocorp:manageengine_datasecurity_plus:4.0
-
cpe:2.3:a:zohocorp:manageengine_datasecurity_plus:4.1
-
cpe:2.3:a:zohocorp:manageengine_datasecurity_plus:4.2
-
cpe:2.3:a:zohocorp:manageengine_datasecurity_plus:4.3
-
cpe:2.3:a:zohocorp:manageengine_datasecurity_plus:5.0
-
cpe:2.3:a:zohocorp:manageengine_datasecurity_plus:6.0
-
cpe:2.3:a:zohocorp:manageengine_eventlog_analyzer:10.0
-
cpe:2.3:a:zohocorp:manageengine_eventlog_analyzer:10.6
-
cpe:2.3:a:zohocorp:manageengine_eventlog_analyzer:10.7
-
cpe:2.3:a:zohocorp:manageengine_eventlog_analyzer:10.8
-
cpe:2.3:a:zohocorp:manageengine_eventlog_analyzer:11.0
-
cpe:2.3:a:zohocorp:manageengine_eventlog_analyzer:11.1
-
cpe:2.3:a:zohocorp:manageengine_eventlog_analyzer:11.10
-
cpe:2.3:a:zohocorp:manageengine_eventlog_analyzer:11.11
-
cpe:2.3:a:zohocorp:manageengine_eventlog_analyzer:11.12
-
cpe:2.3:a:zohocorp:manageengine_eventlog_analyzer:11.13
-
cpe:2.3:a:zohocorp:manageengine_eventlog_analyzer:11.14
-
cpe:2.3:a:zohocorp:manageengine_eventlog_analyzer:11.2
-
cpe:2.3:a:zohocorp:manageengine_eventlog_analyzer:11.20
-
cpe:2.3:a:zohocorp:manageengine_eventlog_analyzer:11.21
-
cpe:2.3:a:zohocorp:manageengine_eventlog_analyzer:11.3
-
cpe:2.3:a:zohocorp:manageengine_eventlog_analyzer:11.4
-
cpe:2.3:a:zohocorp:manageengine_eventlog_analyzer:11.5
-
cpe:2.3:a:zohocorp:manageengine_eventlog_analyzer:11.6
-
cpe:2.3:a:zohocorp:manageengine_eventlog_analyzer:11.7
-
cpe:2.3:a:zohocorp:manageengine_eventlog_analyzer:11.8
-
cpe:2.3:a:zohocorp:manageengine_eventlog_analyzer:11.9
-
cpe:2.3:a:zohocorp:manageengine_eventlog_analyzer:12.0.0
-
cpe:2.3:a:zohocorp:manageengine_eventlog_analyzer:12.0.1
-
cpe:2.3:a:zohocorp:manageengine_eventlog_analyzer:12.0.2
-
cpe:2.3:a:zohocorp:manageengine_eventlog_analyzer:12.0.3
-
cpe:2.3:a:zohocorp:manageengine_eventlog_analyzer:12.0.4
-
cpe:2.3:a:zohocorp:manageengine_eventlog_analyzer:12.0.5
-
cpe:2.3:a:zohocorp:manageengine_eventlog_analyzer:12.0.6
-
cpe:2.3:a:zohocorp:manageengine_eventlog_analyzer:12.1.0
-
cpe:2.3:a:zohocorp:manageengine_eventlog_analyzer:12.1.1
-
cpe:2.3:a:zohocorp:manageengine_eventlog_analyzer:12.1.2
-
cpe:2.3:a:zohocorp:manageengine_eventlog_analyzer:12.1.3
-
cpe:2.3:a:zohocorp:manageengine_eventlog_analyzer:6.0
-
cpe:2.3:a:zohocorp:manageengine_eventlog_analyzer:6.1
-
cpe:2.3:a:zohocorp:manageengine_eventlog_analyzer:6.2
-
cpe:2.3:a:zohocorp:manageengine_eventlog_analyzer:7.0
-
cpe:2.3:a:zohocorp:manageengine_eventlog_analyzer:7.2
-
cpe:2.3:a:zohocorp:manageengine_eventlog_analyzer:8.2
-
cpe:2.3:a:zohocorp:manageengine_eventlog_analyzer:8.5
-
cpe:2.3:a:zohocorp:manageengine_eventlog_analyzer:8.6
-
cpe:2.3:a:zohocorp:manageengine_eventlog_analyzer:9.0
-
cpe:2.3:a:zohocorp:manageengine_eventlog_analyzer:9.9
-
cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:-
-
cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:5.4
-
cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:5.5
-
cpe:2.3:a:zohocorp:manageengine_log360:5.0
-
cpe:2.3:a:zohocorp:manageengine_log360:5.1
-
cpe:2.3:a:zohocorp:manageengine_o365_manager_plus:4.0
-
cpe:2.3:a:zohocorp:manageengine_o365_manager_plus:4.2
-
cpe:2.3:a:zohocorp:manageengine_o365_manager_plus:4.3
-
cpe:2.3:a:zohocorp:manageengine_recovermanager_plus:*
-
cpe:2.3:a:zohocorp:manageengine_recovermanager_plus:6.0