CVE-2020-21642

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Zoho ManageEngine Analytics Plus versions prior to 4350

Description A Directory Traversal issue exists due to the ZDBQAREFSUBDIR parameter in the "/zropusermgmt" API endpoint. This allows remote attackers to potentially run arbitrary code.

Recommendations For versions prior to 4350, update to version 4350 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/zropusermgmt" API endpoint to minimize the risk of exploitation. Avoid using the ZDBQAREFSUBDIR parameter in the affected API endpoint until the issue is resolved.

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

CVE-2020-21642

Affected Products

Manageengine Analytics Plus

CVE-2020-21642

Weakness Enumeration

Related Identifiers

Affected Products

References · 3