CVE-2022-24978

Zoho ManageEngine ADAudit Plus before 7055 allows authenticated Privilege Escalation on Integrated products. This occurs because a password field is present in a JSON response.

Weakness

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

Affected Software

Name	Vendor	Start Version	End Version
Manageengine_adaudit_plus	Zohocorp	*	6.0 (including)
Manageengine_adaudit_plus	Zohocorp	7.0-7000 (including)	7.0-7000 (including)
Manageengine_adaudit_plus	Zohocorp	7.0-7002 (including)	7.0-7002 (including)
Manageengine_adaudit_plus	Zohocorp	7.0-7003 (including)	7.0-7003 (including)
Manageengine_adaudit_plus	Zohocorp	7.0-7004 (including)	7.0-7004 (including)
Manageengine_adaudit_plus	Zohocorp	7.0-7005 (including)	7.0-7005 (including)
Manageengine_adaudit_plus	Zohocorp	7.0-7006 (including)	7.0-7006 (including)
Manageengine_adaudit_plus	Zohocorp	7.0-7007 (including)	7.0-7007 (including)
Manageengine_adaudit_plus	Zohocorp	7.0-7008 (including)	7.0-7008 (including)
Manageengine_adaudit_plus	Zohocorp	7.0-7050 (including)	7.0-7050 (including)
Manageengine_adaudit_plus	Zohocorp	7.0-7051 (including)	7.0-7051 (including)
Manageengine_adaudit_plus	Zohocorp	7.0-7052 (including)	7.0-7052 (including)
Manageengine_adaudit_plus	Zohocorp	7.0-7053 (including)	7.0-7053 (including)
Manageengine_adaudit_plus	Zohocorp	7.0-7054 (including)	7.0-7054 (including)

NVD	https://nvd.nist.gov/vuln/detail/CVE-2022-24978
CWE	https://cwe.mitre.org/data/definitions/319.html

Cleartext Transmission of Sensitive Information

Weakness

Affected Software

Potential Mitigations

References

CVE-2022-24978

Cleartext Transmission of Sensitive Information

Weakness

Affected Software

Potential Mitigations

Related Attack Patterns

References