ManageEngine DeviceExpert Unauthorized Information Disclosure

medium Nessus Plugin ID 77530

Synopsis

The remote web server contains a web application affected by an information disclosure vulnerability.

Description

ManageEngine DeviceExpert exposes user names and password hashes via a specially crafted GET request for 'ReadUsersFromMasterServlet'.

Solution

Upgrade to DeviceExpert 5.9 Build 5981.

See Also

http://www.nessus.org/u?af669cc9

Plugin Details

Severity: Medium

ID: 77530

File Name: manageengine_deviceexpert_CVE-2014-5377.nasl

Version: 1.10

Type: remote

Family: CGI abuses

Published: 9/4/2014

Updated: 1/19/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.5

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2014-5377

Vulnerability Information

CPE: cpe:/a:zohocorp:manageengine:device_expert

Required KB Items: installed_sw/manageengine_deviceexpert

Exploit Available: true

Exploit Ease: Exploits are available

Exploited by Nessus: true

Patch Publication Date: 9/1/2014

Vulnerability Publication Date: 8/27/2014

Reference Information

CVE: CVE-2014-5377

BID: 69443