Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2023-31492

CWE-522 — Insufficiently Protected Credentials CWE-735 documents5 sources

Severity

6.5MEDIUM

EPSS

0.2%

top 53.45%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Zohocorp Manageengine Admanager Plus

Timeline

PublishedAug 17

Latest updateApr 10

Description

Zoho ManageEngine ADManager Plus version 7182 and prior disclosed the default passwords for the account restoration of unauthorized domains to the authenticated users.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages1 packages

▶NVDzohocorp/manageengine_admanager_plus< 7.1+1

🔴Vulnerability Details

GHSA

GHSA-jrp3-72m5-5jpj: Incorrect access control in Zoho ManageEngine ADManager Plus Build 7180 allows unauthenticated attackers to view user passwords after executing backup↗2023-08-18

▶

CVEList

CVE-2023-31492: Zoho ManageEngine ADManager Plus version 7182 and prior disclosed the default passwords for the account restoration of unauthorized domains to the aut↗2023-08-17

▶

💥Exploits & PoCs

Exploit-DB

ManageEngine ADManager Plus Build < 7183 - Recovery Password Disclosure↗2024-02-13

▶

📋Vendor Advisories

Fortinet

An external control of file name or path vulnerability [CWE-73] in FortiClientMac version 7.2.3 and below, version 7.0...↗2024-04-10

▶