CVE-2022-24978 — Cleartext Transmission of Sensitive Info in Manageengine Adaudit Plus

CWE-319 — Cleartext Transmission of Sensitive Info CWE-522 — Insufficiently Protected Credentials3 documents3 sources

Severity

8.8HIGHNVD

EPSS

0.2%

top 54.02%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Zohocorp Manageengine Adaudit Plus

Timeline

PublishedApr 5

Latest updateApr 6

Description

Zoho ManageEngine ADAudit Plus before 7055 allows authenticated Privilege Escalation on Integrated products. This occurs because a password field is present in a JSON response.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages1 packages

▶NVDzohocorp/manageengine_adaudit_plus6.0+1

Patches

Patch: pitstop.manageengine.com ↗Patch: pitstop.manageengine.com ↗

🔴Vulnerability Details

GHSA

GHSA-fgqq-jvf3-xhmw: Zoho ManageEngine ADAudit Plus before 7055 allows authenticated Privilege Escalation on Integrated products↗2022-04-06

▶

CVEList

CVE-2022-24978: Zoho ManageEngine ADAudit Plus before 7055 allows authenticated Privilege Escalation on Integrated products↗2022-04-05

▶