CVE-2019-20474 — Server-Side Request Forgery in Manageengine Remote Access Plus

CWE-918 — Server-Side Request Forgery3 documents3 sources

Severity

4.3MEDIUMNVD

EPSS

0.2%

top 59.94%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Zohocorp Manageengine Remote Access Plus

Timeline

PublishedFeb 17

Latest updateMay 24

Description

An issue was discovered in Zoho ManageEngine Remote Access Plus 10.0.447. The service to test the mail-server configuration suffers from an authorization issue allowing a user with the Guest role (read-only access) to use and abuse it. One of the abuses allows performing network and port scan operations of the localhost or the hosts on the same network segment, aka SSRF.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages1 packages

▶NVDzohocorp/manageengine_remote_access_plus10.0.447

🔴Vulnerability Details

GHSA

GHSA-h34j-f5r2-pcx7: An issue was discovered in Zoho ManageEngine Remote Access Plus 10↗2022-05-24

▶

CVEList

CVE-2019-20474: An issue was discovered in Zoho ManageEngine Remote Access Plus 10↗2020-02-17

▶