Vulnerabilities > CVE-2020-11532 - Insecure Default Initialization of Resource vulnerability in Zohocorp products

CVSS 9.8 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

zohocorp

CWE-1188

critical

NVD

Published: 2020-05-08

Updated: 2021-07-21

Summary

Zoho ManageEngine DataSecurity Plus prior to 6.0.1 uses default admin credentials to communicate with a DataEngine Xnode server. This allows an attacker to bypass authentication for this server and execute all operations in the context of admin user.

Vulnerable Configurations

Part	Description	Count
Application	Zohocorp Zohocorp Manageengine Datasecurity Plus - Zohocorp Manageengine Datasecurity Plus 4.0 Zohocorp Manageengine Datasecurity Plus 4.1 Zohocorp Manageengine Datasecurity Plus 4.2 Zohocorp Manageengine Datasecurity Plus 4.3 Zohocorp Manageengine Datasecurity Plus 5.0 Zohocorp Manageengine Datasecurity Plus 6.0 Zohocorp Manageengine Adaudit Plus - Zohocorp Manageengine Adaudit Plus 4.1.0 Zohocorp Manageengine Adaudit Plus 4.5.0 Zohocorp Manageengine Adaudit Plus 5.0.0 Zohocorp Manageengine Adaudit Plus 5.1 Zohocorp Manageengine Adaudit Plus 6.0 Zohocorp Manageengine Adaudit Plus 6.0.1	74

Common Weakness Enumeration (CWE)

CWE-1188 - Insecure Default Initialization of Resource

Packetstorm

data source	https://packetstormsecurity.com/files/download/157609/XL-2020-002.txt
id	PACKETSTORM:157609
last seen	2020-05-09
published	2020-05-08
reporter	Sahil Dhar
source	https://packetstormsecurity.com/files/157609/ManageEngine-DataSecurity-Plus-Authentication-Bypass.html
title	ManageEngine DataSecurity Plus Authentication Bypass

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Packetstorm

References