PT-2019-13987 · Zoho · Zoho Manageengine Opmanager

Akkus

Publicado

2019-08-16

Atualizado

2020-08-24

CVE-2019-15106

CVSS v3.1

9.8

Crítica

Vetor

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Zoho ManageEngine OpManager versions prior to build 14310

Description An issue allows bypassing the user password requirement, enabling command execution on the server. The password is constructed by appending '@opm' to the username. For instance, if the username is 'admin', the password would be 'admin@opm'.

Recommendations For versions prior to build 14310, update to a version that includes the fix for this issue to prevent password bypass and unauthorized command execution. As a temporary workaround, consider restricting access to the server to minimize the risk of exploitation.

Exploit

Correção

Missing Authentication

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-306

Identificadores relacionados

CVE-2019-15106

Produtos afetados

Zoho Manageengine Opmanager

PT-2019-13987 · Zoho · Zoho Manageengine Opmanager

CVE-2019-15106

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 6