CVE-2018-11717

Name of the Vulnerable Software and Affected Versions Zoho ManageEngine Desktop Central versions prior to 100251

Description An issue was discovered that allows a context-dependent attacker to obtain sensitive information by leveraging access to a log file. This information can include the Base64 encoded password/username of AD accounts, cleartext password/username and mail settings of the EAS account, cleartext password of recovery password of Android devices, and critical information about enrolled devices such as serial number, UUID, model, name, and auth session token.

Recommendations For Zoho ManageEngine Desktop Central versions prior to 100251, update to version 100251 or later to resolve the issue. As a temporary workaround, consider restricting access to the log file to minimize the risk of exploitation.