CVE-2018-11717
First published: Mon Jul 16 2018(Updated: )
An issue was discovered in Zoho ManageEngine Desktop Central before 100251. By leveraging access to a log file, a context-dependent attacker can obtain (depending on the modules configured) the Base64 encoded Password/Username of AD accounts, the cleartext Password/Username and mail settings of the EAS account (an AD account used to send mail), the cleartext password of recovery_password of Android devices, the cleartext password of account "set", the location of devices enrolled in the platform (with UUID and information related to the name of the person at the location), critical information about all enrolled devices such as Serial Number, UUID, Model, Name, and auth_session_token (usable to spoof a terminal identity on the platform), etc.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Zohocorp Manageengine Desktop Central | <100251 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2018-11717?
CVE-2018-11717 is a vulnerability discovered in Zoho ManageEngine Desktop Central before version 100251.
What is the severity of CVE-2018-11717?
CVE-2018-11717 has a severity rating of 9.8 (Critical).
How can an attacker exploit CVE-2018-11717?
By leveraging access to a log file, a context-dependent attacker can obtain sensitive information such as encoded passwords, usernames, and mail settings.
What is affected by CVE-2018-11717?
Zoho ManageEngine Desktop Central versions up to and excluding 100251 are affected by CVE-2018-11717.
Is there a fix for CVE-2018-11717?
Yes, updating to version 100251 of Zoho ManageEngine Desktop Central will fix the vulnerability.
- collector/nvd-index
- vendor/zohocorp
- canonical/zohocorp manageengine desktop central