Summary
ManageEngine DeviceExpert is prone to an information-disclosure vulnerability.
Impact
An attacker can exploit this issue to obtain potentially sensitive information. Information obtained may aid in further attacks.
Solution
Ask the vendor for an update
Insight
ManageEngine DeviceExpert exposes user names and password hashes via a GET request to 'ReadUsersFromMasterServlet'.
Affected
ManageEngine DeviceExpert 5.9 Build 5980 is vulnerable other versions
may also be affected.
Detection
Access '/ReadUsersFromMasterServlet' and check the response
References
Updated on 2015-03-25
Severity
Classification
-
CVE CVE-2014-5377 -
CVSS Base Score: 5.0
AV:N/AC:L/Au:N/C:P/I:N/A:N
Related Vulnerabilities
- Apache OFBiz Multiple Cross Site Scripting Vulnerabilities
- 2532|Gigs Directory Traversal And SQL Injection Multiple Vulnerabilities
- A Really Simple Chat Multiple XSS Vulnerabilities
- AjaXplorer Remote Command Injection and Local File Disclosure Vulnerabilities
- APC PowerChute Network Shutdown 'security/applet' Cross Site Scripting Vulnerability