CVE-2018-7248

Опубликовано: 11 мая 2018

Источник: nvd

CVSS3: 5.3

CVSS2: 5

EPSS Низкий

Описание

An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3 Build 9317. Unauthenticated users are able to validate domain user accounts by sending a request containing the username to an API endpoint. The endpoint will return the user's logon domain if the accounts exists, or 'null' if it does not.

Ссылки

http://www.securityfocus.com/bid/104287
Third Party Advisory
VDB Entry
https://gitlab.com/e-sterling/cve-2018-7248
Exploit
Third Party Advisory
https://medium.com/%40esterling_/cve-2018-7248-enumerating-active-directory-users-via-unauthenticated-manageengine-servicedesk-a1eda2942eb0
http://www.securityfocus.com/bid/104287
Third Party Advisory
VDB Entry
https://gitlab.com/e-sterling/cve-2018-7248
Exploit
Third Party Advisory
https://medium.com/%40esterling_/cve-2018-7248-enumerating-active-directory-users-via-unauthenticated-manageengine-servicedesk-a1eda2942eb0

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.3:9317:*:*:*:*:*:*

EPSS

Процентиль: 90%

0.05186

Низкий

5.3 Medium

CVSS3

5 Medium

CVSS2

Дефекты

NVD-CWE-noinfo

Связанные уязвимости

GHSA-9pr8-4qx2-38mf