Vulnerability Details : CVE-2014-5377
Public exploit exists!
ReadUsersFromMasterServlet in ManageEngine DeviceExpert before 5.9 build 5981 allows remote attackers to obtain user account credentials via a direct request.
Vulnerability category: Information leak
Products affected by CVE-2014-5377
- cpe:2.3:a:manageengine:device_expert:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2014-5377
20.00%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 96 %
Percentile, the proportion of vulnerabilities that are scored at or less
Metasploit modules for CVE-2014-5377
-
ManageEngine DeviceExpert User Credentials
Disclosure Date: 2014-08-28First seen: 2020-04-26auxiliary/scanner/http/manageengine_deviceexpert_user_credsThis module extracts usernames and salted MD5 password hashes from ManageEngine DeviceExpert version 5.9 build 5980 and prior. This module has been tested successfully on DeviceExpert version 5.9.7 build 5970. Authors: - Pedro Ribeiro <pedrib@gmail.com> -
CVSS scores for CVE-2014-5377
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST |
CWE ids for CVE-2014-5377
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-5377
-
http://seclists.org/fulldisclosure/2014/Aug/75
Full Disclosure: [The ManageOwnage Series, part II]: User credential disclosure in ManageEngine DeviceExpert
-
http://seclists.org/fulldisclosure/2014/Aug/76
Full Disclosure: Re: [The ManageOwnage Series, part II]: User credential disclosure in ManageEngine DeviceExpertExploit
-
http://seclists.org/fulldisclosure/2014/Aug/84
Full Disclosure: Re: [The ManageOwnage Series, part II]: User credential disclosure in ManageEngine DeviceExpert
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/95562
ManageEngine DeviceExpert information disclosure CVE-2014-5377 Vulnerability Report
-
http://www.manageengine.com/products/device-expert/release-notes.html
Release Notes - New Features | NCM - ManageEnginePatch
-
http://www.exploit-db.com/exploits/34449
ManageEngine DeviceExpert 5.9 - User Credential Disclosure - Multiple webapps ExploitExploit
-
https://raw.githubusercontent.com/pedrib/PoC/master/me_deviceexpert-5.txt
Exploit
-
http://www.securityfocus.com/bid/69443
ManageEngine DeviceExpert CVE-2014-5377 User Credentials Information Disclosure Vulnerability
-
http://packetstormsecurity.com/files/128019/ManageEngine-DeviceExpert-5.9-Credential-Disclosure.html
ManageEngine DeviceExpert 5.9 Credential Disclosure ≈ Packet StormExploit
-
http://www.securityfocus.com/archive/1/533250/100/0/threaded
SecurityFocus
Jump to