Multiple vulnerabilities in Zoho ManageEngine SupportCenter Plus

1) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU72431

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: N/A

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote user to escalate privileges within the application.

The vulnerability exists due to application does not properly impose security restrictions in All Portal Dashboard widgets. A remote user can escalate privileges within the application.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Zoho ManageEngine SupportCenter Plus: 14000

External links

http://www.manageengine.com/products/support-center/readme.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Resource exhaustion

EUVDB-ID: #VU72411

Risk: Low

CVSSv3.1: 4.3 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: N/A

CWE-ID: N/A

Exploit availability: No

Description

This vulnerability description is a duplicate for #VU71514 (CVE-2023-26601). Was removed from the security bulletin SB2023022032.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Zoho ManageEngine SupportCenter Plus: 14000

External links

http://www.manageengine.com/products/support-center/readme.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Improper Authentication

EUVDB-ID: #VU72419

Risk: Medium

CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: N/A

CWE-ID: CWE-287 - Improper Authentication

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass 2FA authentication process.

The vulnerability exists due to an error in the Two-Factor Authentication login page. A remote attacker with knowledge of victim's credentials can bypass 2FA authentication process and gain unauthorized access to the application.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Zoho ManageEngine SupportCenter Plus: 14000

External links

http://www.manageengine.com/products/support-center/readme.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Cleartext transmission of sensitive information

EUVDB-ID: #VU72420

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: N/A

CWE-ID: CWE-319 - Cleartext Transmission of Sensitive Information

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to software uses insecure communication channel in backup scheduling to transmit passwords. A remote attacker with ability to intercept network traffic can gain access to sensitive data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Zoho ManageEngine SupportCenter Plus: 14000

External links

http://www.manageengine.com/products/support-center/readme.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.