| Title | Zoho ManageEngine Desktop Central におけるログファイルからの情報漏えいに関する脆弱性 |
|---|---|
| Summary | Zoho ManageEngine Desktop Central には、ログファイルからの情報漏えいに関する脆弱性が存在します。 |
| Possible impacts | 情報を取得される、情報を改ざんされる、およびサービス運用妨害 (DoS) 状態にされる可能性があります。 |
| Solution | ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。 |
| Publication Date | June 20, 2018, midnight |
| Registration Date | Oct. 16, 2018, 4:18 p.m. |
| Last Update | Oct. 16, 2018, 4:18 p.m. |
| CVSS3.0 : 緊急 | |
| Score | 9.8 |
|---|---|
| Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CVSS2.0 : 警告 | |
| Score | 5 |
|---|---|
| Vector | AV:N/AC:L/Au:N/C:P/I:N/A:N |
| Zoho Corporation |
| ManageEngine Desktop Central 100251 未満 |
| No | Changed Details | Date of change |
|---|---|---|
| 1 | [2018年10月16日] 掲載 |
Oct. 16, 2018, 4:18 p.m. |
| Summary | An issue was discovered in Zoho ManageEngine Desktop Central before 100251. By leveraging access to a log file, a context-dependent attacker can obtain (depending on the modules configured) the Base64 encoded Password/Username of AD accounts, the cleartext Password/Username and mail settings of the EAS account (an AD account used to send mail), the cleartext password of recovery_password of Android devices, the cleartext password of account "set", the location of devices enrolled in the platform (with UUID and information related to the name of the person at the location), critical information about all enrolled devices such as Serial Number, UUID, Model, Name, and auth_session_token (usable to spoof a terminal identity on the platform), etc. |
|---|---|
| Publication Date | July 16, 2018, 11:29 p.m. |
| Registration Date | March 1, 2021, 6:47 p.m. |
| Last Update | Nov. 21, 2024, 12:43 p.m. |
| Configuration1 | or higher | or less | more than | less than | |
| cpe:2.3:a:zohocorp:manageengine_desktop_central:*:*:*:*:*:*:*:* | 100251 | ||||