Vulnerability Details CVE-2018-7248
An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3 Build 9317. Unauthenticated users are able to validate domain user accounts by sending a request containing the username to an API endpoint. The endpoint will return the user's logon domain if the accounts exists, or 'null' if it does not.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.047
EPSS Ranking 88.9%
CVSS Severity
CVSS v3 Score 5.3
CVSS v2 Score 5.0
References
- http://www.securityfocus.com/bid/104287
- https://gitlab.com/e-sterling/cve-2018-7248
- https://medium.com/%40esterling_/cve-2018-7248-enumerating-active-directory-users-via-unauthenticated-manageengine-servicedesk-a1eda2942eb0
- http://www.securityfocus.com/bid/104287
- https://gitlab.com/e-sterling/cve-2018-7248
- https://medium.com/%40esterling_/cve-2018-7248-enumerating-active-directory-users-via-unauthenticated-manageengine-servicedesk-a1eda2942eb0
Products affected by CVE-2018-7248
-
cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.3