CVE-2023-39912

Name of the Vulnerable Software and Affected Versions Zoho ManageEngine ADManager Plus versions prior to 7203

Description The issue is related to inadequate access control in the Zoho ManageEngine ADManager Plus software, which can be exploited by a remote attacker to gain unauthorized access to protected information. Specifically, it allows Help Desk Technician users to read arbitrary files on the machine where the product is installed, and admin users can download any file from the server machine via directory traversal.

Recommendations For versions prior to 7203, update to version 7203 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive files and directories on the server machine to minimize the risk of exploitation. Additionally, limit the privileges of Help Desk Technician users to prevent them from reading arbitrary files.