CVE-2020-8422 — Insufficiently Protected Credentials in Manageengine Remote Access Plus

CWE-522 — Insufficiently Protected Credentials3 documents3 sources

Severity

4.3MEDIUMNVD

EPSS

0.2%

top 56.72%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Zohocorp Manageengine Remote Access Plus

Timeline

PublishedJan 31

Latest updateMay 24

Description

An authorization issue was discovered in the Credential Manager feature in Zoho ManageEngine Remote Access Plus before 10.0.450. A user with the Guest role can extract the collection of all defined credentials of remote machines: the credential name, credential type, user name, domain/workgroup name, and description (but not the password).

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages1 packages

▶NVDzohocorp/manageengine_remote_access_plus< 10.0.450

🔴Vulnerability Details

GHSA

GHSA-c54r-ffv6-72gm: An authorization issue was discovered in the Credential Manager feature in Zoho ManageEngine Remote Access Plus before 10↗2022-05-24

▶

CVEList

CVE-2020-8422: An authorization issue was discovered in the Credential Manager feature in Zoho ManageEngine Remote Access Plus before 10↗2020-01-31

▶