CVE-2022-42903 Zoho SupportCenter Plus allows low-privileged users to view the organization users list.

When attempting to view a user that does not have the “View” permission enabled, the user will receive a message stating “This specific user does not have that permission.” If a user does not have the “View” permission enabled, they will not receive the message and will be able to view the organization users list. To correct this issue, follow the steps below. Access the ManageEngine Support Center and select “Preferences” from the top menu bar. Select “Users” from the left-hand menu, and then click “Permissions” under the “Users” tab. Select the “View” option, and click “Update”.

How to Fix “Access Denied” Errors When Attempting to View a User

If you are unable to view a user in the ManageEngine Support Center, an error message may be appearing stating “Access Denied.” This problem can occur when users do not have the “View” permission for an organization enabled. To fix this issue, follow the steps below. Access the ManageEngine Support Center and select “Preferences” from the top menu bar. Select “Users” from the left-hand menu, and then click “Permissions” under the “Users” tab. Select the “View” option, and click “Update”.

How to Hide and Unhide Users

To hide a user, follow the steps below. Access the ManageEngine Support Center and select “Preferences” from the top menu bar. Select “Users” from the left-hand menu, and then click “Permissions” under the “Users” tab. Select the user you wish to hide, in this example we will use “John Smith” as an example, then choose “Hidden” in the drop-down menu for Permission Type. To bring back a hidden user, follow these steps. Click on “View Hidden Users” in the left-hand menu of ManageEngine Support Center, and then select any hidden user in that list to show them again.

How to Enable View Permissions for Users

As an administrator, you can enable the view permissions for all users by following these steps:
1. Access the ManageEngine Support Center and select “Preferences” from the top menu bar.
2. Select “Users” from the left-hand menu, and then click “Permissions” under the “Users” tab.
3. From the list of user permissions, click on “View Organization Users List” to highlight it in green as shown below:
4. Click on “Update” to save your changes and enable this permission for all users.

Timeline

Published on: 11/17/2022 22:15:00 UTC
Last modified on: 11/22/2022 18:06:00 UTC

References

• https://www.manageengine.com/products/support-center/cve-2022-42903.html
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-42903