ReadUsersFromMasterServlet in ManageEngine DeviceExpert before 5.9 build 5981 allows remote attackers to obtain user account credentials via a direct request.
https://exchange.xforce.ibmcloud.com/vulnerabilities/95562
http://www.securityfocus.com/bid/69443
http://www.securityfocus.com/archive/1/533250/100/0/threaded
http://www.manageengine.com/products/device-expert/release-notes.html