CVE-2018-11717

Exploit

EPSS 9.61%
Veröffentlicht 16.07.2018 14:29:00
Zuletzt bearbeitet 21.11.2024 03:43:53
Quelle cve@mitre.org
Teams Watchlist Login
Unerledigt Login

An issue was discovered in Zoho ManageEngine Desktop Central before 100251. By leveraging access to a log file, a context-dependent attacker can obtain (depending on the modules configured) the Base64 encoded Password/Username of AD accounts, the cleartext Password/Username and mail settings of the EAS account (an AD account used to send mail), the cleartext password of recovery_password of Android devices, the cleartext password of account "set", the location of devices enrolled in the platform (with UUID and information related to the name of the person at the location), critical information about all enrolled devices such as Serial Number, UUID, Model, Name, and auth_session_token (usable to spoof a terminal identity on the platform), etc.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Zohocorp ≫ Manageengine Desktop Central Version < 100251

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	9.61%	0.921

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:P/I:N/A:N

CWE-532 Insertion of Sensitive Information into Log File

The product writes sensitive information to a log file.

https://blog.netxp.fr/manageengine-deep-exploitation/

Third Party Advisory

Exploit

https://www.manageengine.com/products/desktop-central/vulnerability-in-log-files.html

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2018-11717

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2018-11717

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2018-11717

EUVD