CVE-2017-11557 - OpenCVE

An issue was discovered in ZOHO ManageEngine Applications Manager 12.3. It is possible for an unauthenticated user to view the list of domain names and usernames used in a company's network environment via a userconfiguration.do?method=editUser request.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Zohocorp	Manageengine Applications Manager

Configuration 1 [-]

cpe:2.3:a:zohocorp:manageengine_applications_manager:12.3:*:*:*:*:*:*:*

References

Link	Resource
http://applications.com	Product
http://manageengine.com	Vendor Advisory
https://www.manageengine.com/	Vendor Advisory
https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=18738	Broken Link Exploit Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2019-05-23T17:17:42

Updated: 2019-05-23T17:17:42

Reserved: 2017-07-22T00:00:00

Link: CVE-2017-11557

JSON object: View

NVD Information

Status : Analyzed

Published: 2019-05-23T18:29:00.450

Modified: 2019-05-24T13:54:20.307

Link: CVE-2017-11557

JSON object: View

Redhat Information

No data.

CWE

CWE-200

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in ZOHO ManageEngine Applications Manager 12.3. It is possible for an unauthenticated user to view the list of domain names and usernames used in a company's network environment via a userconfiguration.do?method=editUser request."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-05-23T17:17:42", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "http://manageengine.com"}, {"tags": ["x_refsource_MISC"], "url": "https://www.manageengine.com/"}, {"tags": ["x_refsource_MISC"], "url": "http://applications.com"}, {"tags": ["x_refsource_MISC"], "url": "https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=18738"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2017-11557", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered in ZOHO ManageEngine Applications Manager 12.3. It is possible for an unauthenticated user to view the list of domain names and usernames used in a company's network environment via a userconfiguration.do?method=editUser request."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://manageengine.com", "refsource": "MISC", "url": "http://manageengine.com"}, {"name": "https://www.manageengine.com/", "refsource": "MISC", "url": "https://www.manageengine.com/"}, {"name": "http://applications.com", "refsource": "MISC", "url": "http://applications.com"}, {"name": "https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=18738", "refsource": "MISC", "url": "https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=18738"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2017-11557", "datePublished": "2019-05-23T17:17:42", "dateReserved": "2017-07-22T00:00:00", "dateUpdated": "2019-05-23T17:17:42", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:zohocorp:manageengine_applications_manager:12.3:*:*:*:*:*:*:*", "matchCriteriaId": "ACC75B6D-A432-46BE-AFD7-2D4B7E4EC82C", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in ZOHO ManageEngine Applications Manager 12.3. It is possible for an unauthenticated user to view the list of domain names and usernames used in a company's network environment via a userconfiguration.do?method=editUser request."}, {"lang": "es", "value": "Fue encontrado un problema en ZOHO ManageEngine Applications Manager versi\u00f3n 12.3. Es posible que un usuario no autenticado vea la lista de nombres de dominio y nombres de usuario utilizados en el entorno de red de una empresa por medio de una solicitud userconfiguration.do?method=editUser."}], "id": "CVE-2017-11557", "lastModified": "2019-05-24T13:54:20.307", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-05-23T18:29:00.450", "references": [{"source": "cve@mitre.org", "tags": ["Product"], "url": "http://applications.com"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://manageengine.com"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://www.manageengine.com/"}, {"source": "cve@mitre.org", "tags": ["Broken Link", "Exploit", "Third Party Advisory"], "url": "https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=18738"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "nvd@nist.gov", "type": "Primary"}]}