CVE-2021-46166: 
Zoho ManageEngine Desktop Central Server vulnerability analysis and mitigation

Zoho ManageEngine Desktop Central before version 10.0.662 contained a vulnerability that allowed authenticated users to access sensitive information from the database through the Reports page. The vulnerability was identified and fixed in build 10.0.662, released on May 3, 2021 (Vendor Advisory).

The vulnerability was assigned a CVSS v3.1 base score of 6.5 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. It is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The issue specifically allowed authenticated users with access to the Reports module to view sensitive data stored in the database (NVD).

The vulnerability exposed sensitive information from the database to authenticated users who had access to the Reports page. This could lead to unauthorized access to confidential data stored within the ManageEngine Desktop Central system (Vendor Advisory).

The vulnerability was patched in Desktop Central build 10.0.662. The fix included downgrading the access level for the Reports module to Read-Only for all users and implementing restrictions to prevent users from viewing sensitive database tables. Users are advised to update to build 10.0.662 or later to address this vulnerability (Vendor Advisory).