#VU35879 Information disclosure in ManageEngine Applications Manager
Vulnerability identifier: #VU35879
Vulnerability risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-200
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
ManageEngine Applications Manager
Server applications /
Remote management servers, RDP, SSH
Vendor: Zoho Corporation
Description
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
An issue was discovered in ZOHO ManageEngine Applications Manager 12.3. It is possible for an unauthenticated user to view the list of domain names and usernames used in a company's network environment via a userconfiguration.do?method=editUser request.
Mitigation
Install update from vendor's website.
Vulnerable software versions
ManageEngine Applications Manager : 12.3
External links
http://applications.com
http://manageengine.com
http://www.manageengine.com/
http://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=18738
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
