Vulnerability Description
An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3 Build 9317. Unauthenticated users are able to validate domain user accounts by sending a request containing the username to an API endpoint. The endpoint will return the user's logon domain if the accounts exists, or 'null' if it does not.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Zohocorp | Manageengine Servicedesk Plus | 9.3 |
References
- http://www.securityfocus.com/bid/104287Third Party AdvisoryVDB Entry
- https://gitlab.com/e-sterling/cve-2018-7248ExploitThird Party Advisory
- https://medium.com/%40esterling_/cve-2018-7248-enumerating-active-directory-user
- http://www.securityfocus.com/bid/104287Third Party AdvisoryVDB Entry
- https://gitlab.com/e-sterling/cve-2018-7248ExploitThird Party Advisory
- https://medium.com/%40esterling_/cve-2018-7248-enumerating-active-directory-user
FAQ
What is CVE-2018-7248?
CVE-2018-7248 is a vulnerability with a CVSS score of 5.3 (MEDIUM). An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3 Build 9317. Unauthenticated users are able to validate domain user accounts by sending a request containing the username to an API end...
How severe is CVE-2018-7248?
CVE-2018-7248 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-7248?
Check the references section above for vendor advisories and patch information. Affected products include: Zohocorp Manageengine Servicedesk Plus.