CVE-2020-11531

Name of the Vulnerable Software and Affected Versions Zoho ManageEngine DataSecurity Plus versions prior to 6.0.1

Description The issue arises from the lack of validation of the database schema name when handling a DR-SCHEMA-SYNC request in the DataEngine Xnode Server application. This allows an authenticated attacker to execute code in the context of the product by writing a JSP file to the webroot directory via directory traversal.

Recommendations For versions prior to 6.0.1, update to version 6.0.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the DR-SCHEMA-SYNC request handler to minimize the risk of exploitation.