CVE-2020-11531
ManageEngine DataSecurity Plus Path Traversal / Code Execution
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
2Exploited in Wild
-Decision
Descriptions
The DataEngine Xnode Server application in Zoho ManageEngine DataSecurity Plus prior to 6.0.1 does not validate the database schema name when handling a DR-SCHEMA-SYNC request. This allows an authenticated attacker to execute code in the context of the product by writing a JSP file to the webroot directory via directory traversal.
La aplicación DataEngine Xnode Server en Zoho ManageEngine DataSecurity Plus versiones anteriores a 6.0.1, no comprueba el nombre del esquema de la base de datos al manejar una petición DR-SCHEMA-SYNC. Esto permite a un atacante autenticado ejecutar código en el contexto del producto al escribir un archivo JSP en el directorio webroot por medio de un salto de directorio.
ManageEngine DataSecurity Plus versions prior to 6.0.1 and ADAudit Plus versions prior to 6.0.3 suffers from a path traversal vulnerability that can lead to remote code execution.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2020-04-04 CVE Reserved
- 2020-05-08 CVE Published
- 2024-01-24 EPSS Updated
- 2024-08-04 CVE Updated
- 2024-08-04 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CAPEC
References (3)
| URL | Tag | Source |
|---|---|---|
| https://pitstop.manageengine.com/portal/community/topic/upgrade-datasecurity-plus-to-the-build-6013-to-fix-security-issues | X_refsource_confirm |
| URL | Date | SRC |
|---|---|---|
| http://packetstormsecurity.com/files/157604/ManageEngine-DataSecurity-Plus-Path-Traversal-Code-Execution.html | 2024-08-04 | |
| http://seclists.org/fulldisclosure/2020/May/27 | 2024-08-04 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Zohocorp Search vendor "Zohocorp" | Manageengine Adaudit Plus Search vendor "Zohocorp" for product "Manageengine Adaudit Plus" | < 6.0.1 Search vendor "Zohocorp" for product "Manageengine Adaudit Plus" and version " < 6.0.1" | - |
Affected
| ||||||
| Zohocorp Search vendor "Zohocorp" | Manageengine Datasecurity Plus Search vendor "Zohocorp" for product "Manageengine Datasecurity Plus" | < 6.0.1 Search vendor "Zohocorp" for product "Manageengine Datasecurity Plus" and version " < 6.0.1" | - |
Affected
| ||||||