Unencrypted XML File Disclosure and Privilege Escalation in ManageEngine Desktop Central MSP 10.0.137

Unencrypted XML File Disclosure and Privilege Escalation in ManageEngine Desktop Central MSP 10.0.137

CVE-2017-16924 · MEDIUM Severity

AV:N/AC:L/AU:N/C:P/I:N/A:N

Remote Information Disclosure and Escalation of Privileges in ManageEngine Desktop Central MSP 10.0.137 allows attackers to download unencrypted XML files containing all data for configuration policies via a predictable /client-data/<client_id>/collections/##/usermgmt.xml URL, as demonstrated by passwords and Wi-Fi keys. This is fixed in build 100157.

Learn more about our Cis Benchmark Audit For Desktop Software.