CVE-2023-39912: 
Zoho ManageEngine ADManager Plus vulnerability analysis and mitigation

Zoho ManageEngine ADManager Plus before version 7203 contains a directory traversal vulnerability (CVE-2023-39912) that allows Help Desk Technician users to read arbitrary files on the machine where the product is installed. The vulnerability was discovered by Son Nguyen from VNG Security while working with Trend Micro Zero Day Initiative and was fixed on July 30, 2023 (Vendor Advisory).

The vulnerability exists within the download method and results from the lack of proper validation of a user-supplied path prior to using it in file operations. The vulnerability has been assigned a CVSS v3.1 base score of 4.9 (Medium) with the vector string AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N. The issue is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) (ZDI Advisory, NVD).

An attacker can leverage this vulnerability to disclose sensitive information in the context of the service account. The vulnerability allows authenticated Help Desk Technician users to read arbitrary files on the system where ADManager Plus is installed (ZDI Advisory).

ManageEngine has released version 7203 to address this vulnerability. Organizations are advised to update their ADManager Plus installation to build 7203 or later by installing the service pack (Vendor Advisory).