Vulnerabilities > CVE-2020-11532 - Insecure Default Initialization of Resource vulnerability in Zohocorp products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
Zoho ManageEngine DataSecurity Plus prior to 6.0.1 uses default admin credentials to communicate with a DataEngine Xnode server. This allows an attacker to bypass authentication for this server and execute all operations in the context of admin user.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Packetstorm
data source | https://packetstormsecurity.com/files/download/157609/XL-2020-002.txt |
id | PACKETSTORM:157609 |
last seen | 2020-05-09 |
published | 2020-05-08 |
reporter | Sahil Dhar |
source | https://packetstormsecurity.com/files/157609/ManageEngine-DataSecurity-Plus-Authentication-Bypass.html |
title | ManageEngine DataSecurity Plus Authentication Bypass |
References
- http://packetstormsecurity.com/files/157609/ManageEngine-DataSecurity-Plus-Authentication-Bypass.html
- http://seclists.org/fulldisclosure/2020/May/28
- https://pitstop.manageengine.com/portal/community/topic/upgrade-datasecurity-plus-to-the-build-6013-to-fix-security-issues
- http://packetstormsecurity.com/files/157609/ManageEngine-DataSecurity-Plus-Authentication-Bypass.html
- https://pitstop.manageengine.com/portal/community/topic/upgrade-datasecurity-plus-to-the-build-6013-to-fix-security-issues
- http://seclists.org/fulldisclosure/2020/May/28