Vulnerabilities > CVE-2020-15589 - Unspecified vulnerability in Zohocorp products

CVSS 8.1 - HIGH

Attack vector

NETWORK

Attack complexity

HIGH

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

high complexity

zohocorp

NVD

Published: 2020-10-02

Updated: 2021-12-06

Summary

A design issue was discovered in GetInternetRequestHandle, InternetSendRequestEx and InternetSendRequestByBitrate in the client side of Zoho ManageEngine Desktop Central 10.0.552.W and Remote Access Plus before 10.1.2119.1. By exploiting this issue, an attacker-controlled server can force the client to skip TLS certificate validation, leading to a man-in-the-middle attack against HTTPS and unauthenticated remote code execution.

Vulnerable Configurations

Part	Description	Count
Application	Zohocorp Zohocorp Manageengine Desktop Central 10.0.552.W Zohocorp Manageengine Remote Access Plus - Zohocorp Manageengine Remote Access Plus 10.0.252 Zohocorp Manageengine Remote Access Plus 10.0.253 Zohocorp Manageengine Remote Access Plus 10.0.254 Zohocorp Manageengine Remote Access Plus 10.0.255 Zohocorp Manageengine Remote Access Plus 10.0.256 Zohocorp Manageengine Remote Access Plus 10.0.257 Zohocorp Manageengine Remote Access Plus 10.0.258 Zohocorp Manageengine Remote Access Plus 10.0.259 Zohocorp Manageengine Remote Access Plus 10.0.415 Zohocorp Manageengine Remote Access Plus 10.0.416 Zohocorp Manageengine Remote Access Plus 10.0.421 Zohocorp Manageengine Remote Access Plus 10.0.422 Zohocorp Manageengine Remote Access Plus 10.0.428 Zohocorp Manageengine Remote Access Plus 10.0.430 Zohocorp Manageengine Remote Access Plus 10.0.431 Zohocorp Manageengine Remote Access Plus 10.0.432 Zohocorp Manageengine Remote Access Plus 10.0.433 Zohocorp Manageengine Remote Access Plus 10.0.434 Zohocorp Manageengine Remote Access Plus 10.0.435 Zohocorp Manageengine Remote Access Plus 10.0.436 Zohocorp Manageengine Remote Access Plus 10.0.440 Zohocorp Manageengine Remote Access Plus 10.0.447 Zohocorp Manageengine Remote Access Plus 10.0.448 Zohocorp Manageengine Remote Access Plus 10.0.450 Zohocorp Manageengine Remote Access Plus 10.0.451 Zohocorp Manageengine Remote Access Plus 10.0.452 Zohocorp Manageengine Remote Access Plus 10.0.453 Zohocorp Manageengine Remote Access Plus 10.0.454 Zohocorp Manageengine Remote Access Plus 10.0.465 Zohocorp Manageengine Remote Access Plus 10.0.466 Zohocorp Manageengine Remote Access Plus 10.0.468 Zohocorp Manageengine Remote Access Plus 10.0.469 Zohocorp Manageengine Remote Access Plus 10.0.472 Zohocorp Manageengine Remote Access Plus 10.0.473 Zohocorp Manageengine Remote Access Plus 10.0.476	37

Summary

Vulnerable Configurations

References