Description
Properties.do in ZOHO ManageEngine OpStor before build 8500 does not properly check privilege levels, which allows remote authenticated users to obtain Admin access by using the name parameter in conjunction with a true value of the edit parameter.
References (2)
Core 2
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/66499
Third Party Advisory, US Government Resource third-party-advisory
x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/140886
Scores
EPSS
0.0158
EPSS Percentile
81.8%
Details
CWE
CWE-264
Status
published
Products (1)
zohocorp/manageengine_opstor
< 8.3
Published
Mar 29, 2014
Tracked Since
Feb 18, 2026