CVE-2017-16924

EPSS 1.73%
Published 19.02.2018 04:29:00
Last modified 21.11.2024 03:17:15
Source cve@mitre.org
Teams watchlist Login
Open Login

Remote Information Disclosure and Escalation of Privileges in ManageEngine Desktop Central MSP 10.0.137 allows attackers to download unencrypted XML files containing all data for configuration policies via a predictable /client-data/<client_id>/collections/##/usermgmt.xml URL, as demonstrated by passwords and Wi-Fi keys. This is fixed in build 100157.

Affected products Warnungen 0 Metrics 3 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

Zohocorp ≫ Manageengine Desktop Central Version10.0.137 SwEditionmanaged_service_providers

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	1.73%	0.817

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:P/I:N/A:N

CWE-330 Use of Insufficiently Random Values

The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.

https://github.com/snoonan77/security-research/blob/master/CVE-2017-16924

Third Party Advisory

https://www.manageengine.com/desktop-management-msp/password-encryption-policy-violation.html

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2017-16924

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2017-16924

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2017-16924

EUVD