Open Redirection Vulnerability

This document addresses a open redirection vulnerability identified in ManageEngine Remote Access Plus, reported by Lukasz.

Update Released Build: 10.1.2137.6
Update Released Date: December 16, 2021

What was the problem?

In specific cases, an unauthenticated user can provide the product technician a link that can redirect the technician to a different URL.

How was the issue fixed?

From now on, the URLs involved are validated before redirecting the technician.

How do I fix it?

Please upgrade to the latest build 10.1.2137.6 as normally done. You can visit our service packs page and download the latest build. Alternatively, you can also follow the below steps:

Login to your Remote Access Plus console, click on your current build number on the top right corner.
You'll be able to find the latest build applicable to you. Download the PPM and update.

Note: This vulnerability is not applicable for Remote Access Plus Cloud.

Help

For any further queries on this, please reach out to Remote Access Plus support at remoteaccessplus-support@manageengine.com.