CVE-2020-15595 - Vulnerability Details - OpenCVE

An issue was discovered in Zoho Application Control Plus before version 10.0.511. The Element Configuration feature (to configure elements included in the scope of elements managed by the product) allows an attacker to retrieve the entire list of the IP ranges and subnets configured in the product and consequently obtain information about the cartography of the internal networks to which the product has access.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Zohocorp	Manageengine Application Control Plus

Configuration 1 [-]

cpe:2.3:a:zohocorp:manageengine_application_control_plus:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://cds.thalesgroup.com/en/tcs-cert/CVE-2020-15595
https://excellium-services.com/cert-xlm-advisory/CVE-2020-15595

History

Fri, 30 May 2025 16:15:00 +0000

Type	Values Removed	Values Added
References		https://cds.thalesgroup.com/en/tcs-cert/CVE-2020-15595

Wed, 18 Dec 2024 15:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Zohocorp manageengine Application Control Plus
CPEs	cpe:2.3:a:zohocorp:application_control_plus::::::::	cpe:2.3:a:zohocorp:manageengine_application_control_plus::::::::
Vendors & Products	Zohocorp application Control Plus	Zohocorp manageengine Application Control Plus

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2020-09-29T12:56:55.000Z

Updated: 2025-05-30T16:01:24.120Z

Reserved: 2020-07-07T00:00:00.000Z

Link: CVE-2020-15595

Vulnrichment

No data.

NVD

Status : Modified

Published: 2020-09-30T18:15:22.413

Modified: 2025-05-30T16:15:25.327

Link: CVE-2020-15595

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2020-09-09T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "An issue was discovered in Zoho Application Control Plus before version 10.0.511. The Element Configuration feature (to configure elements included in the scope of elements managed by the product) allows an attacker to retrieve the entire list of the IP ranges and subnets configured in the product and consequently obtain information about the cartography of the internal networks to which the product has access."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AC:L/AV:N/A:N/C:L/I:N/PR:L/S:U/UI:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2025-05-30T16:01:24.120Z", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"url": "https://excellium-services.com/cert-xlm-advisory/CVE-2020-15595"}, {"url": "https://cds.thalesgroup.com/en/tcs-cert/CVE-2020-15595"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-15595", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered in Zoho Application Control Plus before version 10.0.511. The Element Configuration feature (to configure elements included in the scope of elements managed by the product) allows an attacker to retrieve the entire list of the IP ranges and subnets configured in the product and consequently obtain information about the cartography of the internal networks to which the product has access."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AC:L/AV:N/A:N/C:L/I:N/PR:L/S:U/UI:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://excellium-services.com/cert-xlm-advisory/CVE-2020-15595", "refsource": "MISC", "url": "https://excellium-services.com/cert-xlm-advisory/CVE-2020-15595"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T13:22:30.656Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://excellium-services.com/cert-xlm-advisory/CVE-2020-15595"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-15595", "datePublished": "2020-09-29T12:56:55.000Z", "dateReserved": "2020-07-07T00:00:00.000Z", "dateUpdated": "2025-05-30T16:01:24.120Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:zohocorp:manageengine_application_control_plus:*:*:*:*:*:*:*:*", "matchCriteriaId": "DF31CC08-8FB7-4913-925E-FDFE4E4DC366", "versionEndExcluding": "10.0.511", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in Zoho Application Control Plus before version 10.0.511. The Element Configuration feature (to configure elements included in the scope of elements managed by the product) allows an attacker to retrieve the entire list of the IP ranges and subnets configured in the product and consequently obtain information about the cartography of the internal networks to which the product has access."}, {"lang": "es", "value": "Se detect\u00f3 un problema en Zoho Application Control Plus versiones anteriores a 10.0.511. La funcionalidad Element Configuration (para configurar elementos incluidos en el alcance de los elementos gestionados por el producto) permite a un atacante recuperar la lista completa de los rangos de IP y subredes configuradas en el producto y, en consecuencia, obtener informaci\u00f3n sobre la cartograf\u00eda de las redes internas a las que el producto presenta acceso"}], "id": "CVE-2020-15595", "lastModified": "2025-05-30T16:15:25.327", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "cve@mitre.org", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-09-30T18:15:22.413", "references": [{"source": "cve@mitre.org", "url": "https://cds.thalesgroup.com/en/tcs-cert/CVE-2020-15595"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://excellium-services.com/cert-xlm-advisory/CVE-2020-15595"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://excellium-services.com/cert-xlm-advisory/CVE-2020-15595"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}