This document will explain you the vulnerability reported by Dominique Righetto.
Vulnerability ID : CVE-2019-20474 , CVE-2020-8422
Vulnerability Update Release build : 100450
Update Release Date : 24 - Jan - 2020
Reported by: Dominique Righetto
What was the problem?
Remote Access Plus users with Guest privileges were able to access,
- The credential manager and extract details such as credential name, credential type, user name, domain / workgroup name except the defined password.
- The mail server settings and perform network and port scans.
How do I resolve this?
- For Remote Access Plus on-prem, the issue has been resolved and the relevant fixes are available in the latest Remote Access Plus build. Visit the Remote Access Plus service packs page, download the latest PPM and update.
- For Remote Access Plus Cloud, the vulnerability was fixed and released on Sep 29, 2020.