CVE-2018-11716

An issue was discovered in Zoho ManageEngine Desktop Central before 100230. There is unauthenticated remote access to all log files of a Desktop Central instance containing critical information (private information such as location of enrolled devices, cleartext passwords, patching level, etc.) via a GET request on port 8022, 8443, or 8444.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 92%
VendorProductVersion
zohocorpmanageengine_desktop_central
𝑥
< 100230
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://blog.netxp.fr/manageengine-deep-exploitation/
https://www.manageengine.com/products/desktop-central/vulnerability-in-log-files.html
https://blog.netxp.fr/manageengine-deep-exploitation/
https://www.manageengine.com/products/desktop-central/vulnerability-in-log-files.html