Abstract Advisory Information
An authorization issue was discovered in the Credential Manager feature in Zoho ManageEngine Remote Access Plus before 10.0.450. A user with the Guest role can extract the collection of all defined credentials of remote machines: the credential name, credential type, user name, domain/workgroup name, and description (but not the password).
Author: Dominique Righetto
Version affected
Name: Remote Access Plus
Versions: 10.0.447Common Vulnerability Scoring System
4.3
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NPatches
Fixed in version 10.0.450
References
None
Vulnerability Disclosure Timeline
- 17/10/2019: Vulnerability discovered
- 25/10/2019: First Contact to Vendor
- 08/11/2019: Request for updates
- 18/11/2019: Request for updates
- 18/12/2019: Request for updates
- 03/01/2020: Request for updates
- 03/01/2020: Vulnerability is fixed and release in progress
- 27/01/2020: Request for updates
- 28/01/2020: Patch is available
- 28/01/2020: Request CVE ID to Mitre
- 28/01/2020: CVE ID assigned
- 30/01/2020: Public disclosure