CVE-2020-15594 — Server-Side Request Forgery in Manageengine Application Control Plus

CWE-918 — Server-Side Request Forgery CWE-200 — Sensitive Information Exposure3 documents3 sources

Severity

4.3MEDIUMNVD

EPSS

0.5%

top 34.01%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Zohocorp Manageengine Application Control Plus

Timeline

PublishedSep 30

Latest updateMay 24

Description

An SSRF issue was discovered in Zoho Application Control Plus before version 10.0.511. The mail gateway configuration feature allows an attacker to perform a scan in order to discover open ports on a machine as well as available machines on the network segment on which the instance of the product is deployed.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages1 packages

▶NVDzohocorp/manageengine_application_control_plus< 10.0.511

🔴Vulnerability Details

GHSA

GHSA-wrf8-p6r2-xw72: An SSRF issue was discovered in Zoho Application Control Plus before version 10↗2022-05-24

▶

CVEList

CVE-2020-15594: An SSRF issue was discovered in Zoho Application Control Plus before version 10↗2020-09-29

▶