CVE-2020-24743: List of bug fixes and feature enhancements - ManageEngine Applications Manager

An improper authorization vulnerability [CWE-285] in FortiClient for Windows versions 7.0.1 and below and 6.4.2 and below may allow a local unprivileged attacker to escalate their privileges to SYSTEM via the named pipe responsible for Forticlient updates.

The affected product is vulnerable to directory traversal due to mishandling of provided backup folder structure.

The affected product is vulnerable to a parameter injection via passphrase, which enables the attacker to supply uncontrolled input.

The affected product is vulnerable to a unsanitized extract folder for system configuration. A low-privileged user can leverage this logic to overwrite the settings and other key functionality.

The affected product is vulnerable to a missing permission validation on system backup restore, which could lead to account take over and unapproved settings change.

Zoho ManageEngine ADManager Plus before 7110 is vulnerable to blind XXE.

Unauthorized information security disclosure vulnerability on Micro Focus Directory and Resource Administrator (DRA) product, affecting all DRA versions prior to 10.1 Patch 1. The vulnerability could lead to unauthorized information disclosure.

Zoho ManageEngine ADManager Plus version 7110 and prior has a Post-Auth OS command injection vulnerability.

Zoho ManageEngine ADManager Plus version 7110 and prior allows account takeover via SSO.

ManageEngine ADManager Plus before 7111 has Pre-authentication RCE vulnerabilities.

Open Redirection vulnerability in NetIQ Access Manager prior to 5.0.1 and 4.5.4

Information leakage vulnerability in NetIQ Access Manager prior to 5.0.1 and 4.5.4