CVE Vulnerabilities

CVE-2022-24978

Cleartext Transmission of Sensitive Information

Published: Apr 05, 2022 | Modified: Nov 21, 2024
CVSS 3.x
8.8
HIGH
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
6.5 MEDIUM
AV:N/AC:L/Au:S/C:P/I:P/A:P
RedHat/V2
RedHat/V3
Ubuntu

Zoho ManageEngine ADAudit Plus before 7055 allows authenticated Privilege Escalation on Integrated products. This occurs because a password field is present in a JSON response.

Weakness

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

Affected Software

Name Vendor Start Version End Version
Manageengine_adaudit_plus Zohocorp * 6.0 (including)
Manageengine_adaudit_plus Zohocorp 7.0-7000 (including) 7.0-7000 (including)
Manageengine_adaudit_plus Zohocorp 7.0-7002 (including) 7.0-7002 (including)
Manageengine_adaudit_plus Zohocorp 7.0-7003 (including) 7.0-7003 (including)
Manageengine_adaudit_plus Zohocorp 7.0-7004 (including) 7.0-7004 (including)
Manageengine_adaudit_plus Zohocorp 7.0-7005 (including) 7.0-7005 (including)
Manageengine_adaudit_plus Zohocorp 7.0-7006 (including) 7.0-7006 (including)
Manageengine_adaudit_plus Zohocorp 7.0-7007 (including) 7.0-7007 (including)
Manageengine_adaudit_plus Zohocorp 7.0-7008 (including) 7.0-7008 (including)
Manageengine_adaudit_plus Zohocorp 7.0-7050 (including) 7.0-7050 (including)
Manageengine_adaudit_plus Zohocorp 7.0-7051 (including) 7.0-7051 (including)
Manageengine_adaudit_plus Zohocorp 7.0-7052 (including) 7.0-7052 (including)
Manageengine_adaudit_plus Zohocorp 7.0-7053 (including) 7.0-7053 (including)
Manageengine_adaudit_plus Zohocorp 7.0-7054 (including) 7.0-7054 (including)

Potential Mitigations

References