[CVE-2022-24978] Privilege Escalation Vulnerability - ManageEngine ADAudit Plus

[CVE-2022-24978] Privilege Escalation Vulnerability - ManageEngine ADAudit Plus

Severity: High

CVEID: CVE-2022-24978

Affected Software Version(s): Build 7054 and below

Fixed Version: Build 7055

Fixed on: 8th March, 2022

Details: CVE-2022-24978 refers to a vulnerability that allows a low privileged user to access the plain text password of the integrated ADManager Plus login account in ManageEngine ADAudit Plus. This issue has been fixed by removing the password field from the JSON response.

Impact: As the password is disclosed in plain text, a low privileged attacker can gain elevated privileges depending on the privileges of the integrated ADManager Plus login account.

Steps to upgrade: Update your ADAudit Plus instance to build 7055 using the service pack.

Acknowledgments: This issue was reported by Sahil Dhar.

      New to ADSelfService Plus?

        Resources

                Related Products