CVE-2022-24306

Vulnerability

Zoho ManageEngine SharePoint Manager Plus before build 4329 is vulnerable to account takeover due to improper authorization handling [1]. The product's authorization mechanisms are mishandled, allowing an attacker to bypass intended access controls. Affected versions are all builds prior to 4329 [1].

Exploitation

An attacker can exploit this vulnerability without needing prior authentication or special network access, as the issue lies in the authorization logic [1]. The exact exploitation steps are not detailed in the available references, but the mishandled authorization can be leveraged to gain unauthorized access to user accounts [1].

Impact

Successful exploitation leads to account takeover, compromising the confidentiality and integrity of the affected user's data and actions within the application [1]. The attacker gains the same privileges as the compromised user, potentially allowing further escalation or data access.

Mitigation

The vulnerability is fixed in SharePoint Manager Plus build 4329, released on or around February 2022 [1]. Users should upgrade to build 4329 or later. No workarounds are documented; applying the patch is the recommended mitigation.