CVE-2024-41140 (GCVE-0-2024-41140)
Vulnerability from cvelistv5 – Published: 2025-01-29 11:14 – Updated: 2025-02-12 19:51
VLAI
EPSS
VEX
Title
Improper Authorization
Summary
Zohocorp ManageEngine Applications Manager versions 174000 and prior are vulnerable to the incorrect authorization in the update user function.
Severity
8.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| ManageEngine | Applications Manager |
Affected:
0 , ≤ 174000
(174000)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41140",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-29T14:06:02.590376Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T19:51:14.429Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Applications Manager",
"vendor": "ManageEngine",
"versions": [
{
"lessThanOrEqual": "174000",
"status": "affected",
"version": "0",
"versionType": "174000"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "maneesh"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Zohocorp ManageEngine Applications Manager versions\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e174000 and prior are vulnerable to the incorrect authorization in the update user function.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Zohocorp ManageEngine Applications Manager versions\u00a0174000 and prior are vulnerable to the incorrect authorization in the update user function."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-29T11:14:50.910Z",
"orgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
"shortName": "ManageEngine"
},
"references": [
{
"url": "https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2024-41140.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Improper Authorization",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
"assignerShortName": "ManageEngine",
"cveId": "CVE-2024-41140",
"datePublished": "2025-01-29T11:14:50.910Z",
"dateReserved": "2024-07-16T07:03:21.743Z",
"dateUpdated": "2025-02-12T19:51:14.429Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2024-41140",
"date": "2026-07-16",
"epss": "0.00896",
"percentile": "0.55511"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2024-41140\",\"sourceIdentifier\":\"0fc0942c-577d-436f-ae8e-945763c79b02\",\"published\":\"2025-01-29T12:15:28.293\",\"lastModified\":\"2026-06-17T07:47:21.333\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Zohocorp ManageEngine Applications Manager versions\u00a0174000 and prior are vulnerable to the incorrect authorization in the update user function.\"},{\"lang\":\"es\",\"value\":\"Las versiones 174000 y anteriores de Zohocorp ManageEngine Applications Manager son vulnerables a la autorizaci\u00f3n incorrecta en la funci\u00f3n de actualizaci\u00f3n de usuario.\"}],\"affected\":[{\"source\":\"0fc0942c-577d-436f-ae8e-945763c79b02\",\"affectedData\":[{\"vendor\":\"ManageEngine\",\"product\":\"Applications Manager\",\"defaultStatus\":\"unaffected\",\"versions\":[{\"version\":\"0\",\"lessThanOrEqual\":\"174000\",\"versionType\":\"174000\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"0fc0942c-577d-436f-ae8e-945763c79b02\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":5.2},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.2,\"impactScore\":5.2}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2025-01-29T14:06:02.590376Z\",\"id\":\"CVE-2024-41140\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"no\"},{\"technicalImpact\":\"total\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"0fc0942c-577d-436f-ae8e-945763c79b02\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-863\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zohocorp:manageengine_applications_manager:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"17.0\",\"matchCriteriaId\":\"6F60B2FA-65D9-4F15-8F36-5BBD328D70E9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zohocorp:manageengine_applications_manager:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"17.1\",\"versionEndExcluding\":\"17.3\",\"matchCriteriaId\":\"5B24E6C3-B81B-4324-A3AF-02B8C5A9CACD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zohocorp:manageengine_applications_manager:17.0:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"6DBF4AD2-F1FA-4397-872D-15F7F0B499ED\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zohocorp:manageengine_applications_manager:17.0:build170000:*:*:*:*:*:*\",\"matchCriteriaId\":\"24D9A360-987B-4631-AC4E-A83C19AC6218\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zohocorp:manageengine_applications_manager:17.0:build170001:*:*:*:*:*:*\",\"matchCriteriaId\":\"CF0F0C0E-7534-490B-B009-8B24E258D8A7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zohocorp:manageengine_applications_manager:17.0:build170002:*:*:*:*:*:*\",\"matchCriteriaId\":\"FD6375B4-C9BD-44F0-A0B9-2F5CD80EE54C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zohocorp:manageengine_applications_manager:17.0:build170003:*:*:*:*:*:*\",\"matchCriteriaId\":\"AD694576-88FB-4A79-9A7E-744359439133\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zohocorp:manageengine_applications_manager:17.0:build170004:*:*:*:*:*:*\",\"matchCriteriaId\":\"719105AD-C4D8-43FD-AF87-2E1F400413E3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zohocorp:manageengine_applications_manager:17.0:build170005:*:*:*:*:*:*\",\"matchCriteriaId\":\"6AF01C0D-3362-46B0-8D9E-2D54AD6906D6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zohocorp:manageengine_applications_manager:17.0:build170006:*:*:*:*:*:*\",\"matchCriteriaId\":\"2FB1C60A-13B5-4D35-834D-39D31F07A46E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zohocorp:manageengine_applications_manager:17.0:build170007:*:*:*:*:*:*\",\"matchCriteriaId\":\"A0A66F8C-322C-4AE8-A915-85D813028E8B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zohocorp:manageengine_applications_manager:17.3:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"3785344C-D42E-4408-8DA6-05800B17D61A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zohocorp:manageengine_applications_manager:17.3:build173000:*:*:*:*:*:*\",\"matchCriteriaId\":\"87A0EB98-F81A-4870-8D78-4E6C0B7F06D7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zohocorp:manageengine_applications_manager:17.3:build173100:*:*:*:*:*:*\",\"matchCriteriaId\":\"26D43D3E-99DA-4BAA-8326-FB0C344CD58F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zohocorp:manageengine_applications_manager:17.3:build173200:*:*:*:*:*:*\",\"matchCriteriaId\":\"444D1677-D36C-4402-A78B-E719B8EE7C4D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zohocorp:manageengine_applications_manager:17.3:build173300:*:*:*:*:*:*\",\"matchCriteriaId\":\"5AAC7171-AAFC-4308-9181-22B4C9E92196\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zohocorp:manageengine_applications_manager:17.3:build173301:*:*:*:*:*:*\",\"matchCriteriaId\":\"3CB9713C-4105-4E98-AC7A-9057B6657329\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zohocorp:manageengine_applications_manager:17.3:build173302:*:*:*:*:*:*\",\"matchCriteriaId\":\"09C7E0A0-FE94-4702-9099-3BD1636E99CB\"}]}]}],\"references\":[{\"url\":\"https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2024-41140.html\",\"source\":\"0fc0942c-577d-436f-ae8e-945763c79b02\",\"tags\":[\"Vendor Advisory\"]}]}}"
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…