CVE-2020-13154 — Missing Authorization in Manageengine Servicedesk Plus

CWE-862 — Missing Authorization CWE-522 — Insufficiently Protected Credentials3 documents3 sources

Severity

6.5MEDIUMNVD

EPSS

0.5%

top 33.44%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Zohocorp Manageengine Servicedesk Plus

Timeline

PublishedMay 18

Latest updateMay 24

Description

Zoho ManageEngine Service Plus before 11.1 build 11112 allows low-privilege authenticated users to discover the File Protection password via a getFileProtectionSettings call to AjaxServlet.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages1 packages

▶NVDzohocorp/manageengine_servicedesk_plus11.1

🔴Vulnerability Details

GHSA

GHSA-5h36-xpf2-wm7c: Zoho ManageEngine Service Plus before 11↗2022-05-24

▶

CVEList

CVE-2020-13154: Zoho ManageEngine Service Plus before 11↗2020-05-18

▶