CVE-2024-41140

Privilege escalation vulnerability in the 'Update user' function

Vulnerability Details
Severity	High
CVE ID	CVE-2024-41140
Affected software versions	v173900 and below
Fixed Version	Version 170008 to 170099 Version 173303 to 173399 Version 174000 and above
Fixed On	6 Jan 2025

Details

A vertical privilege escalation vulnerability where a delegated admin could gain unauthorized admin access by modifying the user group parameter. This occurs through the API, which can update a user's profile.

Impact

This vulnerability can be exploited by users with DELEGATED ADMIN role privileges to act as the ADMIN.

Note:

This CVE security issue does not apply to the Applications Manager Plugin Setup.
This issue is applicable only if any user profile has Delegated Admin role privileges. You can check if you have a Delegated Admin user in your setup by navigating to Settings → User Management → Profiles.

Fix

Applications Manager version 174000 (refer above for other fixed versions) and above fixes this issue by implementing proper role validation.

Steps to update

Update your Applications Manager instance to the latest build using the service pack.

Source and Acknowledgements

Find out more about CVE-2024-41140 from the CVE Directory and NIST NVD.

Reported by:

maneesh

Need Help?

For clarification or corrections please contact our support team or email us at appmanager-support@manageengine.com

Loved by customers all over the world

"Standout Tool With Extensive Monitoring Capabilities"

★ ★ ★ ★ ★

It allows us to track crucial metrics such as response times, resource utilization, error rates, and transaction performance. The real-time monitoring alerts promptly notify us of any issues or anomalies, enabling us to take immediate action.

Reviewer Role: Research and Development

"I like Applications Manager because it helps us to detect issues present in our servers and SQL databases."

Carlos Rivero

Tech Support Manager, Lexmark