Zoho ManageEngine ServiceDesk Plus CVE-2018�??7248 User Enumeration Vulnerability
BID:104287
CVE-2018-7248 |Info
Zoho ManageEngine ServiceDesk Plus CVE-2018�??7248 User Enumeration Vulnerability
| Bugtraq ID: | 104287 |
| Class: | Access Validation Error |
| CVE: |
CVE-2018-7248 |
| Remote: | Yes |
| Local: | No |
| Published: | May 11 2018 12:00AM |
| Updated: | May 11 2018 12:00AM |
| Credit: | Ethan Sterling |
| Vulnerable: |
Zohocorp ManageEngine ServiceDesk Plus 9.3 Build 9317 |
| Not Vulnerable: | |
Discussion
Zoho ManageEngine ServiceDesk Plus CVE-2018�??7248 User Enumeration Vulnerability
Zoho ManageEngine ServiceDesk Plus is prone to a user-enumeration vulnerability.
An attacker may leverage this issue to harvest valid user accounts, which may aid in brute-force attacks.
ManageEngine ServiceDesk Plus 9.3 Build 9317 is vulnerable; other versions may also be affected.
Zoho ManageEngine ServiceDesk Plus is prone to a user-enumeration vulnerability.
An attacker may leverage this issue to harvest valid user accounts, which may aid in brute-force attacks.
ManageEngine ServiceDesk Plus 9.3 Build 9317 is vulnerable; other versions may also be affected.
Exploit / POC
Zoho ManageEngine ServiceDesk Plus CVE-2018�??7248 User Enumeration Vulnerability
Attackers can exploit this issue using browser or readily available tools.
The following example URI is available:
http://www.example.com/domainServlet/AJaxDomainServlet?action=searchDomain&search=USERNAME
Attackers can exploit this issue using browser or readily available tools.
The following example URI is available:
http://www.example.com/domainServlet/AJaxDomainServlet?action=searchDomain&search=USERNAME