Vulnerability Details : CVE-2020-21642
Directory Traversal vulnerability ZDBQAREFSUBDIR parameter in /zropusermgmt API in Zoho ManageEngine Analytics Plus before 4350 allows remote attackers to run arbitrary code.
Vulnerability category: Directory traversal
Products affected by CVE-2020-21642
- cpe:2.3:a:zohocorp:manageengine_analytics_plus:2.9:build2907:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_analytics_plus:2.9:build2906:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_analytics_plus:2.9:build2905:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_analytics_plus:2.9:build2904:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_analytics_plus:2.9:build2903:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_analytics_plus:2.9:build2902:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_analytics_plus:2.9:build2901:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_analytics_plus:2.9:build2900:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_analytics_plus:3.0:build3050:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_analytics_plus:3.0:build3040:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_analytics_plus:3.0:build3030:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_analytics_plus:3.0:build3020:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_analytics_plus:3.0:build3010:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_analytics_plus:3.0:build3000:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_analytics_plus:3.1:build3140:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_analytics_plus:3.1:build3130:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_analytics_plus:3.1:build3120:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_analytics_plus:3.1:build3110:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_analytics_plus:3.1:build3100:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_analytics_plus:3.2:build3250:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_analytics_plus:3.2:build3200:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_analytics_plus:3.3:build3310:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_analytics_plus:3.3:build3300:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_analytics_plus:3.4:build3450:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_analytics_plus:3.4:build3400:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_analytics_plus:3.5:build3500:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_analytics_plus:3.6:build3600:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_analytics_plus:3.7:build3700:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_analytics_plus:3.8:build3800:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_analytics_plus:3.9:build3950:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_analytics_plus:3.9:build3900:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_analytics_plus:4.0:build4000:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_analytics_plus:4.1:build4150:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_analytics_plus:4.1:build4100:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_analytics_plus:4.2:build4280:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_analytics_plus:4.2:build4270:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_analytics_plus:4.2:build4260:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_analytics_plus:4.2:build4250:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_analytics_plus:4.2:build4200:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_analytics_plus:4.3:build4300:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_analytics_plus:4.3:build4310:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-21642
0.86%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 83 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-21642
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2020-21642
-
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-21642
-
https://www.manageengine.com/analytics-plus/release-notes.html
Release Notes;Vendor Advisory
Jump to