CVE-2020-13818

In Zoho ManageEngine OpManager before 125144, when <cachestart> is used, directory traversal validation can be bypassed.

CVSS v3 7.5 HIGH
CVSS v2.0 5.0 MEDIUM

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://www.manageengine.com/network-monitoring/help/read-me-complete.html	Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-20-691/
https://www.manageengine.com/network-monitoring/help/read-me-complete.html	Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-20-691/

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:zohocorp:manageengine_opmanager::::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:-::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125000::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125002::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125100::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125101::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125102::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125108::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125110::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125111::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125112::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125113::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125114::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125116::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125117::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125118::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125120::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125121::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125123::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125124::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125125::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125136::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125137::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125139::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125140::::::
	cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125143::::::

History

21 Nov 2024, 05:01

Type	Values Removed	Values Added
References	~~() https://www.manageengine.com/network-monitoring/help/read-me-complete.html - Vendor Advisory~~	() https://www.manageengine.com/network-monitoring/help/read-me-complete.html - Vendor Advisory
References	~~() https://www.zerodayinitiative.com/advisories/ZDI-20-691/ -~~	() https://www.zerodayinitiative.com/advisories/ZDI-20-691/ -

22 Jun 2021, 17:29

Type	Values Removed	Values Added
CPE	cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:125120:::::: cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:125136:::::: cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:125118:::::: cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:125140:::::: cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:125143:::::: cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:125125:::::: cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:125124:::::: cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:125117:::::: cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:125121:::::: cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:125123:::::: cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:125139:::::: cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:125137::::::	cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125143:::::: cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125125:::::: cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125140:::::: cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125136:::::: cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125120:::::: cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125137:::::: cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125139:::::: cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125123:::::: cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125121:::::: cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125117:::::: cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125124:::::: cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:build125118::::::

Information

Published : 2020-06-04 13:15

Updated : 2024-11-21 05:01

NVD link : CVE-2020-13818

Mitre link : CVE-2020-13818

CVE.ORG link : CVE-2020-13818

JSON object : View

Products Affected

zohocorp

manageengine_opmanager

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

7.5 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

5.0 /10

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

JSON object

Attach tags to CVE-2020-13818

7.5^/10

5.0^/10

Attach tags to `CVE-2020-13818`