Summary
ManageEngine DeviceExpert is prone to an information-disclosure vulnerability.
Impact
An attacker can exploit this issue to obtain potentially sensitive information. Information obtained may aid in further attacks.
Solution
Ask the vendor for an update
Insight
ManageEngine DeviceExpert exposes user names and password hashes via a GET request to 'ReadUsersFromMasterServlet'.
Affected
ManageEngine DeviceExpert 5.9 Build 5980 is vulnerable other versions
may also be affected.
Detection
Access '/ReadUsersFromMasterServlet' and check the response
References
Updated on 2015-03-25
Severity
Classification
-
CVE CVE-2014-5377 -
CVSS Base Score: 5.0
AV:N/AC:L/Au:N/C:P/I:N/A:N
Related Vulnerabilities
- AjaXplorer 'doc_file' Parameter Local File Disclosure Vulnerability
- @Mail 'admin.php' Cross-Site Scripting Vulnerabilities
- Apache Struts Showcase Multiple Persistence Cross-Site Scripting Vulnerabilities
- Apache Tomcat NIO Connector Denial of Service Vulnerability
- Adobe JRun Management Console Multiple Vulnerabilities