CVE-2018-7248 — Manageengine Servicedesk Plus vulnerability

3 documents3 sources

Severity

5.3MEDIUMNVD

EPSS

5.2%

top 10.07%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Zohocorp Manageengine Servicedesk Plus

Timeline

PublishedMay 11

Latest updateMay 13

Description

An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3 Build 9317. Unauthenticated users are able to validate domain user accounts by sending a request containing the username to an API endpoint. The endpoint will return the user's logon domain if the accounts exists, or 'null' if it does not.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages1 packages

▶NVDzohocorp/manageengine_servicedesk_plus9.3

🔴Vulnerability Details

GHSA

GHSA-9pr8-4qx2-38mf: An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9↗2022-05-13

▶

CVEList

CVE-2018-7248: An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9↗2018-05-11

▶