Affected Software Version(s): Build 7054 and below
Fixed Version: Build 7055
Fixed on: 8th March, 2022
Details: CVE-2022-24978 refers to a vulnerability that allows a low privileged user to access the plain text password of the integrated ADManager Plus login account in ManageEngine ADAudit Plus. This issue has been fixed by removing the password field from the JSON response.
Impact: As the password is disclosed in plain text, a low privileged attacker can gain elevated privileges depending on the privileges of the integrated ADManager Plus login account.
Steps to upgrade:
Update your ADAudit Plus instance to build 7055 using the service pack
Acknowledgments: This issue was reported by Sahil Dhar.