Zoho · Manageengine Desktop Central · CVE-2017-16924
Name of the Vulnerable Software and Affected Versions:
ManageEngine Desktop Central MSP version 10.0.137
Description:
The issue allows attackers to download unencrypted XML files containing sensitive data, such as passwords and Wi-Fi keys, via a predictable API endpoint "/client-data/<client id>/collections/##/usermgmt.xml". This can lead to remote information disclosure and escalation of privileges.
Recommendations:
For ManageEngine Desktop Central MSP version 10.0.137, update to build 100157 to resolve the issue. As a temporary workaround, consider restricting access to the "/client-data/<client id>/collections/##/usermgmt.xml" API endpoint to minimize the risk of exploitation.