CVE-2017-16924Use of Insufficiently Random Values in Manageengine Desktop Central

CWE-330Use of Insufficiently Random Values3 documents3 sources
Severity
9.8CRITICALNVD
EPSS
1.7%
top 17.52%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Zohocorp Manageengine Desktop Central
Timeline
PublishedFeb 19
Latest updateMay 13

Description

Remote Information Disclosure and Escalation of Privileges in ManageEngine Desktop Central MSP 10.0.137 allows attackers to download unencrypted XML files containing all data for configuration policies via a predictable /client-data//collections/##/usermgmt.xml URL, as demonstrated by passwords and Wi-Fi keys. This is fixed in build 100157.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages1 packages

🔴Vulnerability Details

2
GHSA
GHSA-63qg-58c5-wrff: Remote Information Disclosure and Escalation of Privileges in ManageEngine Desktop Central MSP 102022-05-13
CVEList
CVE-2017-16924: Remote Information Disclosure and Escalation of Privileges in ManageEngine Desktop Central MSP 102018-02-19
CVE-2017-16924 — Use of Insufficiently Random Values | cvebase