In Zoho ManageEngine SupportCenter Plus before 11023, V3 API requests are vulnerable to authentication bypass. (An API request may, in effect, be executed with the credentials of a user who authenticated in the past.)
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Manageengine_supportcenter_plus | Zohocorp | 11.0-11020 (including) | 11.0-11020 (including) |
Manageengine_supportcenter_plus | Zohocorp | 11.0-11021 (including) | 11.0-11021 (including) |
Manageengine_supportcenter_plus | Zohocorp | 11.0-11022 (including) | 11.0-11022 (including) |