CVE-2017-16924
 
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Remote Information Disclosure and Escalation of Privileges in ManageEngine Desktop Central MSP 10.0.137 allows attackers to download unencrypted XML files containing all data for configuration policies via a predictable /client-data/<client_id>/collections/##/usermgmt.xml URL, as demonstrated by passwords and Wi-Fi keys. This is fixed in build 100157.
Una revelación de información remota y un escalado de privilegios en ManageEngine Desktop Central MSP 10.0.137 permiten que atacantes descarguen archivos XML sin cifrar que contienen todos los datos de las políticas de configuración mediante una URL /client-data//collections/##/usermgmt.xml predecible, tal y como demuestran las contraseñas y las claves Wi-Fi. Esto se ha solucionado en la build 100157.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2017-11-21 CVE Reserved
- 2018-02-19 CVE Published
- 2024-01-29 EPSS Updated
- 2024-08-05 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-330: Use of Insufficiently Random Values
CAPEC
References (2)
URL | Tag | Source |
---|---|---|
https://github.com/snoonan77/security-research/blob/master/CVE-2017-16924 | Third Party Advisory | |
https://www.manageengine.com/desktop-management-msp/password-encryption-policy-violation.html | Third Party Advisory |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Zohocorp Search vendor "Zohocorp" | Manageengine Desktop Central Search vendor "Zohocorp" for product "Manageengine Desktop Central" | 10.0.137 Search vendor "Zohocorp" for product "Manageengine Desktop Central" and version "10.0.137" | managed_service_providers |
Affected
|