Abstract Advisory Information
An issue was discovered in Zoho Application Control Plus before version 10.0.511.
The Element Configuration feature (to configure elements included in the scope of elements managed by the product) allows an attacker to retrieve the entire list of the IP ranges and subnets configured in the product, and consequently obtain information about the cartography of the internal networks to which the product has access.Author: Dominique Righetto
Version affected
Name: Application Control Plus
Versions: 10.0.510Common Vulnerability Scoring System
4.3
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NPatches
Versions: 10.0.511
References
patched version: https://www.manageengine.com/application-control/download.html
vendor advisory: https://www.manageengine.com/application-control/kb/privilege-escalation-vulnerability.htmlVulnerability Disclosure Timeline
- 06/06/2020: Vulnerability identification
- 09/06/2020: First contact with the vendor
- 09/06/2020: Acknowledge from the vendor
- 22/06/2020: Request for update
- 29/06/2020: Vulnerability fixed but not available yet
- 06/07/2020: Request for update
- 06/07/2020: Patch available but vendor ask a grace period before public disclosure
- 08/07/2020: CVE ID Assigned by MITRE
- 09/09/2020: Public disclosure