CVE-2019-20474
MEDIUMZoho ManageEngine Remote Access Plus 10.0.447 - Server-Side Request Forgery via Mail-Server Configuration Test
Title source: llmDescription
An issue was discovered in Zoho ManageEngine Remote Access Plus 10.0.447. The service to test the mail-server configuration suffers from an authorization issue allowing a user with the Guest role (read-only access) to use and abuse it. One of the abuses allows performing network and port scan operations of the localhost or the hosts on the same network segment, aka SSRF.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_misc
https://www.manageengine.com/remote-desktop-management/knowledge-base/authorization-failure.html
Third Party Advisory x_refsource_misc
https://excellium-services.com/cert-xlm-advisory/cve-2019-20474/
Scores
CVSS v3
4.3
EPSS
0.0017
EPSS Percentile
37.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Details
CWE
CWE-918
Status
published
Products (1)
zohocorp/manageengine_remote_access_plus
10.0.447
Published
Feb 17, 2020
Tracked Since
Feb 18, 2026