Vulnerability Details : CVE-2020-24786
An issue was discovered in Zoho ManageEngine Exchange Reporter Plus before build number 5510, AD360 before build number 4228, ADSelfService Plus before build number 5817, DataSecurity Plus before build number 6033, RecoverManager Plus before build number 6017, EventLog Analyzer before build number 12136, ADAudit Plus before build number 6052, O365 Manager Plus before build number 4334, Cloud Security Plus before build number 4110, ADManager Plus before build number 7055, and Log360 before build number 5166. The remotely accessible Java servlet com.manageengine.ads.fw.servlet.UpdateProductDetails is prone to an authentication bypass. System integration properties can be modified and lead to full ManageEngine suite compromise.
Vulnerability category: BypassGain privilege
Products affected by CVE-2020-24786
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:*:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5800:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5801:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5802:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5803:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5804:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5805:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5806:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5807:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5808:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:-:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5809:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5810:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5811:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5812:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5813:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5814:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5815:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5816:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_admanager_plus:*:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_admanager_plus:7.0:7000:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_admanager_plus:7.0:7010:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_admanager_plus:7.0:7011:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_admanager_plus:7.0:7020:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_admanager_plus:7.0:7030:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_admanager_plus:7.0:7040:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_admanager_plus:7.0:7041:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_admanager_plus:7.0:7050:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_admanager_plus:7.0:7051:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_admanager_plus:7.0:7052:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_admanager_plus:7.0:7053:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_admanager_plus:7.0:7054:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_eventlog_analyzer:*:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_eventlog_analyzer:12.1.3:12130:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_eventlog_analyzer:12.1.3:12135:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_o365_manager_plus:*:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_o365_manager_plus:4.3:4300:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_o365_manager_plus:4.3:4301:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_o365_manager_plus:4.3:4302:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_o365_manager_plus:4.3:4303:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_o365_manager_plus:4.3:4304:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_o365_manager_plus:4.3:4305:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_o365_manager_plus:4.3:4306:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_o365_manager_plus:4.3:4308:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_o365_manager_plus:4.3:4309:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_o365_manager_plus:4.3:4310:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_o365_manager_plus:4.3:4311:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_o365_manager_plus:4.3:4312:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_o365_manager_plus:4.3:4316:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_o365_manager_plus:4.3:4317:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_o365_manager_plus:4.3:4318:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_o365_manager_plus:4.3:4319:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_o365_manager_plus:4.3:4320:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_o365_manager_plus:4.3:4321:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_o365_manager_plus:4.3:4322:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_o365_manager_plus:4.3:4324:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_o365_manager_plus:4.3:4325:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_o365_manager_plus:4.3:4327:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_o365_manager_plus:4.3:4328:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_o365_manager_plus:4.3:4329:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_o365_manager_plus:4.3:4330:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_o365_manager_plus:4.3:4331:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_o365_manager_plus:4.3:4332:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_o365_manager_plus:4.3:4333:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_o365_manager_plus:4.3:4334:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adaudit_plus:*:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adaudit_plus:6.0:6000:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adaudit_plus:6.0:6001:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adaudit_plus:6.0:6002:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adaudit_plus:6.0:6003:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adaudit_plus:6.0:6010:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adaudit_plus:6.0:6030:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adaudit_plus:6.0:6031:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adaudit_plus:6.0:6032:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adaudit_plus:6.0:6033:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adaudit_plus:6.0:6050:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adaudit_plus:6.0:6052:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_datasecurity_plus:*:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_datasecurity_plus:6.0:6000:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_datasecurity_plus:6.0:6001:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_datasecurity_plus:6.0:6002:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_datasecurity_plus:6.0:6003:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_datasecurity_plus:6.0:6010:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_datasecurity_plus:6.0:6011:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_datasecurity_plus:6.0:6012:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_datasecurity_plus:6.0:6013:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_datasecurity_plus:6.0:6020:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_datasecurity_plus:6.0:6021:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_datasecurity_plus:6.0:6030:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_datasecurity_plus:6.0:6031:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_datasecurity_plus:6.0:6032:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:*:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:5.5:5500:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:5.5:5501:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:5.5:5502:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:5.5:5503:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:5.5:5504:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_ad360:*:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_ad360:4.2:4200:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_ad360:4.2:4201:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_ad360:4.2:4202:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_ad360:4.2:4203:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_ad360:4.2:4204:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_ad360:4.2:4205:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_ad360:4.2:4206:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_ad360:4.2:4207:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_ad360:4.2:4208:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_ad360:4.2:4209:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_ad360:4.2:4210:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_ad360:4.2:4212:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_ad360:4.2:4213:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_ad360:4.2:4214:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_ad360:4.2:4215:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_ad360:4.2:4216:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_ad360:4.2:4217:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_ad360:4.2:4219:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_ad360:4.2:4220:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_ad360:4.2:4222:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_ad360:4.2:4223:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_ad360:4.2:4224:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_ad360:4.2:4225:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_ad360:4.2:4227:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_recovermanager_plus:*:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_recovermanager_plus:6.0:6001:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_recovermanager_plus:6.0:6003:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_recovermanager_plus:6.0:6005:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_recovermanager_plus:6.0:6011:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_recovermanager_plus:6.0:6016:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_cloud_security_plus:*:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_cloud_security_plus:4.1:4100:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_cloud_security_plus:4.1:4101:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_cloud_security_plus:4.1:4102:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_cloud_security_plus:4.1:4103:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_cloud_security_plus:4.1:4104:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_cloud_security_plus:4.1:4105:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_cloud_security_plus:4.1:4106:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_cloud_security_plus:4.1:4107:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_cloud_security_plus:4.1:4108:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_cloud_security_plus:4.1:4109:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_log360:*:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_log360:5.1:5100:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_log360:5.1:5102:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_log360:5.1:5107:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_log360:5.1:5108:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_log360:5.1:5110:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_log360:5.1:5111:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_log360:5.1:5120:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_log360:5.1:5150:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_log360:5.1:5154:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_log360:5.1:5155:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_log360:5.1:5160:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_log360:5.1:5164:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-24786
2.36%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 90 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-24786
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
10.0
|
HIGH | AV:N/AC:L/Au:N/C:C/I:C/A:C |
10.0
|
10.0
|
NIST | |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2020-24786
-
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-24786
-
https://www.manageengine.com/products/eventlog/features-new.html
Eventlog Analyzer Latest FeaturesVendor Advisory
-
https://pitstop.manageengine.com/portal/en/community/topic/how-to-identify-and-mitigate-the-unauthenticated-product-integration-vulnerability-15-5-2020-1
How to identify and mitigate the unauthenticated product integration vulnerability?Vendor Advisory
-
https://pitstop.manageengine.com/portal/en/community/topic/how-to-fix-the-unauthenticated-product-integration-vulnerability-17-5-2020
How to fix the unauthenticated product integration vulnerabilityVendor Advisory
-
https://pitstop.manageengine.com/portal/en/kb/articles/manageengine-log360-security-advisory-regarding-unauthenticated-product-integration-vulnerability
ManageEngine Log360 - Security advisory regarding unauthenticated product integration vulnerability.Vendor Advisory
-
https://pitstop.manageengine.com/portal/en/community/topic/admanager-plus-fixes-and-enhancements
ADManager Plus Fixes and EnhancementsVendor Advisory
-
https://pitstop.manageengine.com/portal/en/community/topic/how-to-fix-the-unauthenticated-product-integration-vulnerability-18-5-2020
How to fix the unauthenticated product integration vulnerabilityVendor Advisory
-
https://medium.com/@frycos/another-zoho-manageengine-story-7b472f1515f5
Third Party Advisory
-
https://pitstop.manageengine.com/portal/en/community/topic/how-to-identify-and-mitigate-the-unauthenticated-product-integration-vulnerability-18-5-2020
How to identify and mitigate the unauthenticated product integration vulnerability.Vendor Advisory
-
https://pitstop.manageengine.com/portal/en/community/topic/how-to-identify-and-mitigate-the-unauthenticated-product-integration-vulnerability
How to identify and mitigate the unauthenticated product integration vulnerability?Vendor Advisory
-
https://pitstop.manageengine.com/portal/en/community/topic/how-to-fix-the-unauthenticated-product-integration-vulnerability
How to fix the unauthenticated product integration vulnerabilityVendor Advisory
-
https://www.manageengine.com/data-security/release-notes.html
Release notes | ManageEngine DataSecurity PlusVendor Advisory
-
https://pitstop.manageengine.com/portal/en/kb/articles/manageengine-cloud-security-plus-security-advisory-regarding-unauthenticated-product-integration-vulnerability
ManageEngine Cloud Security Plus - Security advisory regarding unauthenticated product integration vulnerability.Vendor Advisory
Jump to