QID 375418

Date Published: 2021-03-30

QID 375418: Zoho ManageEngine DataSecurity Plus Remote Code Execution Vulnerability

DataSecurity Plus is licensed based on the number of Windows File Servers. The licensed version of DataSecurity Plus is fully functional and can fetch event data from all Windows File Servers

Zoho ManageEngine DataSecurity Plus prior to 6.0.1 does not validate the database schema name when handling a DR-SCHEMA-SYNC request.

Affected Versions:
DataSecurity Plus prior to 6.0.1

QID Detection Logic:
This QID checks for the vulnerable version of DataSecurity Plus

Successful exploitation allows an authenticated attacker to execute code in the context of the product by writing a JSP file to the webroot directory via directory traversal.

CVSS V3 rated as Critical - 8.8 severity.

CVSS V2 rated as High - 6.5 severity.

Solution

The vendor has issued a fix. For more information please visit advisory

Vendor References

DataSecurity Plus - pitstop.manageengine.com/portal/en/community/topic/upgrade-datasecurity-plus-to-the-build-6013-to-fix-security-issues

CVEs related to QID 375418

CVE-2020-11531 |

Software Advisories

Advisory ID	Software	Component	Link
DataSecurity Plus			pitstop.manageengine.com/portal/en/community/topic/upgrade-datasecurity-plus-to-the-build-6013-to-fix-security-issues

By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].