CVE-2022-42903: 
Zoho ManageEngine SupportCenter Plus vulnerability analysis and mitigation

Zoho ManageEngine SupportCenter Plus through version 11024 contains an information disclosure vulnerability (CVE-2022-42903) that allows low-privileged users (requesters and technicians) to view organization users list. The vulnerability was discovered in October 2022 and fixed in version 11025 (ManageEngine Advisory).

The vulnerability exists in the Global Settings component of SupportCenter Plus and stems from a missing role check procedure when certain APIs are called. This allows unauthorized access to portal owners' personal information including names and email addresses. The vulnerability has been assigned a CVSS v3 Base Score of 3.3 (Low) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N (NVD).

When exploited, this vulnerability allows unauthorized users within a SupportCenter Plus portal to access portal owners' personal details including names and email addresses, leading to information disclosure (ManageEngine Advisory).

ManageEngine has fixed this vulnerability by adding an Organization Administrator role check for APIs. Only users with this role can now access portal owners' details. Users are advised to upgrade to SupportCenter Plus version 11025 or later using the appropriate migration path (ManageEngine Advisory).