CVE-2020-13154
Description
Zoho ManageEngine Service Plus before 11.1 build 11112 allows low-privilege authenticated users to discover the File Protection password via a getFileProtectionSettings call to AjaxServlet.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Zoho ManageEngine Service Plus before 11.1 build 11112 allows low-privilege users to discover the File Protection password via an AjaxServlet call.
Vulnerability
Zoho ManageEngine Service Plus versions before 11.1 build 11112 contain a vulnerability that allows low-privilege authenticated users to discover the File Protection password. The issue is exposed through the getFileProtectionSettings call to AjaxServlet.
Exploitation
An attacker must have a low-privilege authenticated session on the ManageEngine Service Plus application. The attacker can directly call the AjaxServlet endpoint with the getFileProtectionSettings action, which returns the File Protection password without requiring any additional authorization.
Impact
Upon success, the attacker obtains the File Protection password. This password can be used to access encrypted files or protected configurations within the application, potentially leading to further information disclosure or privilege escalation.
Mitigation
The fix was released in version 11.1 build 11112 of ManageEngine Service Plus [1]. Users should upgrade to this version or later. No workaround is documented.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Zoho/ManageEngine Service Plusdescription
- Range: <11.1 build 11112
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- www.manageengine.com/products/service-desk/on-premises/readme.htmlmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.