CVE-2017-16924

EPSS 1.73%
Veröffentlicht 19.02.2018 04:29:00
Zuletzt bearbeitet 21.11.2024 03:17:15
Quelle cve@mitre.org
Teams Watchlist Login
Unerledigt Login

Remote Information Disclosure and Escalation of Privileges in ManageEngine Desktop Central MSP 10.0.137 allows attackers to download unencrypted XML files containing all data for configuration policies via a predictable /client-data/<client_id>/collections/##/usermgmt.xml URL, as demonstrated by passwords and Wi-Fi keys. This is fixed in build 100157.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Zohocorp ≫ Manageengine Desktop Central Version10.0.137 SwEditionmanaged_service_providers

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	1.73%	0.817

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:P/I:N/A:N

CWE-330 Use of Insufficiently Random Values

The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.

https://github.com/snoonan77/security-research/blob/master/CVE-2017-16924

Third Party Advisory

https://www.manageengine.com/desktop-management-msp/password-encryption-policy-violation.html

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2017-16924

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2017-16924

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2017-16924

EUVD