|
Description
|
|
Andrea Micalizzi has discovered two vulnerabilities in ManageEngine DeviceExpert, which can be exploited by malicious people to disclose sensitive information.
1) An error in the ScheduleResultViewer servlet due to missing authentication checks when processing web requests for the "FileName" parameter can be exploited to disclose e.g. the authentication configuration file (auth-conf.xml).
2) An input validation error in the ScheduleResultViewer servlet when processing web requests for the "FileName" parameter can be exploited to download arbitrary files via directory traversal attacks.
The vulnerabilities are confirmed in version 5.6.5 Build 5650. Other versions may also be affected.
|
|
|
|
|
|
Vulnerable Products
|
|
Vulnerable Software:
ManageEngine DeviceExpert 5.x
|
|
|
|
|
|
Solution
|
|
Restrict access to trusted hosts only.
|
|
|
|
|
|
CVE
|
|
|
|
|
|
|
|
References
|
|
http://retrogod.altervista.org/9sg_me_adv.htm
|
|
|
|
|
|
Vulnerability Manager Detection
|
|
No
|
|
|
|
|
|
IPS Protection
|
|
|
|
|
|
|
