CVE-2022-36412: 
Zoho ManageEngine SupportCenter Plus vulnerability analysis and mitigation

In Zoho ManageEngine SupportCenter Plus versions 11022, 11021, and 11020, a critical authentication bypass vulnerability (CVE-2022-36412) was discovered affecting V3 API requests. The vulnerability was identified on July 21, 2022, and was reported by security researcher Raphael Cheneau. The issue stems from improper handling of previously authenticated users' credentials, which could allow unauthorized access to API operations (ManageEngine Advisory, NVD).

The vulnerability exists due to the lack of a proper mechanism to flush out previously authenticated users' credentials in the V3 API implementation. This security flaw allows non-login users to perform V3 API operations by leveraging credentials of users who had authenticated in the past. The vulnerability specifically affects the V3 API endpoints in SupportCenter Plus (ManageEngine Advisory).

The vulnerability enables unauthenticated users to perform any V3 API operations by impersonating previously authenticated users. This could potentially lead to unauthorized access to sensitive information and system operations, effectively bypassing the application's authentication controls (ManageEngine Advisory).

ManageEngine has addressed this vulnerability by implementing proper API authentication mechanisms to wipe the credentials of previous users. The fix is available in version 11023 of SupportCenter Plus. Users must upgrade to this version to protect against potential exploitation. There are no alternative workarounds; upgrading to version 11023 is the only recommended solution (ManageEngine Advisory).