CVE-2020-21642
CRITICALManageEngine Analytics Plus < 4350 - Remote Code Execution via ZDBQAREFSUBDIR Path Traversal
Title source: llmDescription
Directory Traversal vulnerability ZDBQAREFSUBDIR parameter in /zropusermgmt API in Zoho ManageEngine Analytics Plus before 4350 allows remote attackers to run arbitrary code.
References (1)
Core 1
Core References
Release Notes, Vendor Advisory x_refsource_misc
https://www.manageengine.com/analytics-plus/release-notes.html
Scores
CVSS v3
9.8
EPSS
0.0711
EPSS Percentile
91.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-22
Status
published
Products (15)
zohocorp/manageengine_analytics_plus
2.9 build2900 (8 CPE variants)
zohocorp/manageengine_analytics_plus
3.0 build3000 (6 CPE variants)
zohocorp/manageengine_analytics_plus
3.1 build3100 (5 CPE variants)
zohocorp/manageengine_analytics_plus
3.2 build3200 (2 CPE variants)
zohocorp/manageengine_analytics_plus
3.3 build3300 (2 CPE variants)
zohocorp/manageengine_analytics_plus
3.4 build3400 (2 CPE variants)
zohocorp/manageengine_analytics_plus
3.5 build3500
zohocorp/manageengine_analytics_plus
3.6 build3600
zohocorp/manageengine_analytics_plus
3.7 build3700
zohocorp/manageengine_analytics_plus
3.8 build3800
... and 5 more
Published
Aug 15, 2022
Tracked Since
Feb 18, 2026