CVE-2019-20474: 
Zoho ManageEngine Remote Access Plus vulnerability analysis and mitigation

CVE-2019-20474 affects Zoho ManageEngine Remote Access Plus version 10.0.447. The vulnerability was discovered on October 21, 2019, and involves an authorization issue in the mail-server configuration testing service. This security flaw allows users with 'Guest' privileges (read-only access) to perform unauthorized actions (ManageEngine KB, Excellium Services).

The vulnerability has a CVSS v3.1 score of 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N), indicating a relatively moderate severity level. The issue specifically affects the mail server configuration testing service, where improper authorization controls allow guest users to exceed their intended read-only access permissions (Excellium Services).

The vulnerability allows guest users to access unauthorized functionality, including the ability to perform network and port scans of the localhost or hosts on the same network segment. Additionally, affected users could access credential manager details such as credential name, credential type, username, and domain/workgroup name, though passwords remain protected (ManageEngine KB).

The vulnerability was fixed in Remote Access Plus version 10.0.451. For on-premises installations, users should download and apply the latest Remote Access Plus build from the service packs page. For cloud installations, the fix was released on September 29, 2020 (ManageEngine KB).