CVE-2020-21642

Directory Traversal vulnerability ZDBQAREFSUBDIR parameter in /zropusermgmt API in Zoho ManageEngine Analytics Plus before 4350 allows remote attackers to run arbitrary code.

Published: Aug 15, 2022
Updated: Apr 14, 2023
CVE: CVE-2020-21642
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWEs:

CWE-22

OWASP TOP 10:

A5 - Broken Access Control

Affected Software
References

Software	From	Fixed in
zohocorp / manageengine_analytics_plus	2.9-build2907	2.9-build2907.x
zohocorp / manageengine_analytics_plus	2.9-build2906	2.9-build2906.x
zohocorp / manageengine_analytics_plus	2.9-build2905	2.9-build2905.x
zohocorp / manageengine_analytics_plus	2.9-build2904	2.9-build2904.x
zohocorp / manageengine_analytics_plus	2.9-build2903	2.9-build2903.x
zohocorp / manageengine_analytics_plus	2.9-build2902	2.9-build2902.x
zohocorp / manageengine_analytics_plus	2.9-build2901	2.9-build2901.x
zohocorp / manageengine_analytics_plus	2.9-build2900	2.9-build2900.x
zohocorp / manageengine_analytics_plus	3.0-build3050	3.0-build3050.x
zohocorp / manageengine_analytics_plus	3.0-build3040	3.0-build3040.x
zohocorp / manageengine_analytics_plus	3.0-build3030	3.0-build3030.x
zohocorp / manageengine_analytics_plus	3.0-build3020	3.0-build3020.x
zohocorp / manageengine_analytics_plus	3.0-build3010	3.0-build3010.x
zohocorp / manageengine_analytics_plus	3.0-build3000	3.0-build3000.x
zohocorp / manageengine_analytics_plus	3.1-build3140	3.1-build3140.x
zohocorp / manageengine_analytics_plus	3.1-build3130	3.1-build3130.x
zohocorp / manageengine_analytics_plus	3.1-build3120	3.1-build3120.x
zohocorp / manageengine_analytics_plus	3.1-build3110	3.1-build3110.x
zohocorp / manageengine_analytics_plus	3.1-build3100	3.1-build3100.x
zohocorp / manageengine_analytics_plus	3.2-build3250	3.2-build3250.x
zohocorp / manageengine_analytics_plus	3.2-build3200	3.2-build3200.x
zohocorp / manageengine_analytics_plus	3.3-build3310	3.3-build3310.x
zohocorp / manageengine_analytics_plus	3.3-build3300	3.3-build3300.x
zohocorp / manageengine_analytics_plus	3.4-build3450	3.4-build3450.x
zohocorp / manageengine_analytics_plus	3.4-build3400	3.4-build3400.x
zohocorp / manageengine_analytics_plus	3.5-build3500	3.5-build3500.x
zohocorp / manageengine_analytics_plus	3.6-build3600	3.6-build3600.x
zohocorp / manageengine_analytics_plus	3.7-build3700	3.7-build3700.x
zohocorp / manageengine_analytics_plus	3.8-build3800	3.8-build3800.x
zohocorp / manageengine_analytics_plus	3.9-build3950	3.9-build3950.x
zohocorp / manageengine_analytics_plus	3.9-build3900	3.9-build3900.x
zohocorp / manageengine_analytics_plus	4.0-build4000	4.0-build4000.x
zohocorp / manageengine_analytics_plus	4.1-build4150	4.1-build4150.x
zohocorp / manageengine_analytics_plus	4.1-build4100	4.1-build4100.x
zohocorp / manageengine_analytics_plus	4.2-build4280	4.2-build4280.x
zohocorp / manageengine_analytics_plus	4.2-build4270	4.2-build4270.x
zohocorp / manageengine_analytics_plus	4.2-build4260	4.2-build4260.x
zohocorp / manageengine_analytics_plus	4.2-build4250	4.2-build4250.x
zohocorp / manageengine_analytics_plus	4.2-build4200	4.2-build4200.x
zohocorp / manageengine_analytics_plus	4.3-build4300	4.3-build4300.x
zohocorp / manageengine_analytics_plus	4.3-build4310	4.3-build4310.x

https://www.manageengine.com/analytics-plus/release-notes.html

Vulnerability Database

289,782

CVE-2020-21642