CVE-2020-10816 : Zoho ManageEngine Applications Manager 14780 and before allows a remote unauthen

Zoho ManageEngine Applications Manager 14780 and before allows a remote unauthenticated attacker to register managed servers via AAMRequestProcessor servlet.

Published 2020-10-08 17:15:12

Updated 2020-10-15 19:21:38

Source MITRE

View at NVD, CVE.org

Vulnerability category: BypassGain privilege

Products affected by CVE-2020-10816

Zohocorp » Manageengine Applications Manager » Version: 14.7
cpe:2.3:a:zohocorp:manageengine_applications_manager:14.7:-:*:*:*:*:*:*
Matching versions
Zohocorp » Manageengine Applications Manager » Version: 14.7 Update Build14700
cpe:2.3:a:zohocorp:manageengine_applications_manager:14.7:build14700:*:*:*:*:*:*
Matching versions
Zohocorp » Manageengine Applications Manager » Version: 14.7 Update Build14710
cpe:2.3:a:zohocorp:manageengine_applications_manager:14.7:build14710:*:*:*:*:*:*
Matching versions
Zohocorp » Manageengine Applications Manager » Version: 14.7 Update Build14720
cpe:2.3:a:zohocorp:manageengine_applications_manager:14.7:build14720:*:*:*:*:*:*
Matching versions
Zohocorp » Manageengine Applications Manager » Version: 14.7 Update Build14730
cpe:2.3:a:zohocorp:manageengine_applications_manager:14.7:build14730:*:*:*:*:*:*
Matching versions
Zohocorp » Manageengine Applications Manager » Version: 14.7 Update Build14740
cpe:2.3:a:zohocorp:manageengine_applications_manager:14.7:build14740:*:*:*:*:*:*
Matching versions
Zohocorp » Manageengine Applications Manager » Version: 14.7 Update Build14750
cpe:2.3:a:zohocorp:manageengine_applications_manager:14.7:build14750:*:*:*:*:*:*
Matching versions
Zohocorp » Manageengine Applications Manager » Version: 14.7 Update Build14760
cpe:2.3:a:zohocorp:manageengine_applications_manager:14.7:build14760:*:*:*:*:*:*
Matching versions
Zohocorp » Manageengine Applications Manager » Version: 14.7 Update Build14770
cpe:2.3:a:zohocorp:manageengine_applications_manager:14.7:build14770:*:*:*:*:*:*
Matching versions
Zohocorp » Manageengine Applications Manager » Version: 14.7 Update Build14780
cpe:2.3:a:zohocorp:manageengine_applications_manager:14.7:build14780:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2020-10816

EPSS FAQ

32.74%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 96 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2020-10816

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.0	MEDIUM	AV:N/AC:L/Au:N/C:N/I:P/A:N	10.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N	3.9	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: High Availability: None

CWE ids for CVE-2020-10816

CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2020-10816

https://gitlab.com/eLeN3Re/CVE-2020-10816

eLeN3Re / CVE-2020-10816 · GitLab
Third Party Advisory
https://www.manageengine.com/au/products/applications_manager/security-updates/security-updates-cve-2020-10816.html

Security Updates - CVE Details - CVE-2020-10816 | ManageEngine Applications Manager
Vendor Advisory

Jump to

Vulnerability Details : CVE-2020-10816

Products affected by CVE-2020-10816

Exploit prediction scoring system (EPSS) score for CVE-2020-10816

CVSS scores for CVE-2020-10816

CWE ids for CVE-2020-10816

References for CVE-2020-10816