# CVE-2024-41140

### Privilege escalation vulnerability in the 'Update user' function

| Vulnerability Details |  |
|---|---|
| Severity | **High** |
| CVE ID | CVE-2024-41140 |
| Affected software versions | v173900 and below |
| Fixed Version | Version 170008 to 170099<br>Version 173303 to 173399<br>Version 174000 and above |
| Fixed On | 6 Jan 2025 |

## Details

A vertical privilege escalation vulnerability where a delegated admin could gain unauthorized admin access by modifying the user group parameter. This occurs through the API, which can update a user's profile.

## Impact

This vulnerability can be exploited by users with DELEGATED ADMIN role privileges to act as the ADMIN.

**Note:**

- This CVE security issue does not apply to the Applications Manager Plugin Setup.
- This issue is applicable only if any user profile has Delegated Admin role privileges. You can check if you have a Delegated Admin user in your setup by navigating to **Settings → User Management → Profiles**.

## Fix

Applications Manager version 174000 (refer above for other fixed versions) and above fixes this issue by implementing proper role validation.

## Steps to update

Update your Applications Manager instance to the latest build using the [service pack](https://www.manageengine.com/products/applications_manager/service-packs.html).

## Source and Acknowledgements

Find out more about CVE-2024-41140 from the [CVE Directory](https://www.cve.org/CVERecord?id=CVE-2024-41140) and [NIST NVD](https://nvd.nist.gov/vuln/detail/CVE-2024-41140).

## Reported by:

maneesh

## Need Help?

For clarification or corrections please contact our [support team](https://www.manageengine.com/products/applications_manager/support.html) or email us at [appmanager-support@manageengine.com](mailto:appmanager-support@manageengine.com)