CVE-2018-11808 — Improper Input Validation in Manageengine Applications Manager

CWE-20 — Improper Input Validation3 documents3 sources

Severity

9.1CRITICALNVD

EPSS

4.2%

top 11.21%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Zohocorp Manageengine Applications Manager

Timeline

PublishedJun 6

Latest updateMay 14

Description

Incorrect Access Control in CustomFieldsFeedServlet in Zoho ManageEngine Applications Manager Version 13 before build 13740 allows an attacker to delete any file and read certain files on the server in the context of the user (which by default is "NT AUTHORITY / SYSTEM") by sending a specially crafted request to the server.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 3.9 | Impact: 5.2

Affected Packages1 packages

▶NVDzohocorp/manageengine_applications_manager13

🔴Vulnerability Details

GHSA

GHSA-rh5r-wvg8-j97g: Incorrect Access Control in CustomFieldsFeedServlet in Zoho ManageEngine Applications Manager Version 13 before build 13740 allows an attacker to dele↗2022-05-14

▶

CVEList

CVE-2018-11808: Incorrect Access Control in CustomFieldsFeedServlet in Zoho ManageEngine Applications Manager Version 13 before build 13740 allows an attacker to dele↗2018-06-06

▶