CVE-2018-7248

Name of the Vulnerable Software and Affected Versions Zoho ManageEngine ServiceDesk Plus version 9.3 Build 9317

Description An issue allows unauthenticated users to validate domain user accounts by sending a request containing the username to an "API endpoint". The endpoint returns the user's logon domain if the account exists, or 'null' if it does not.

Recommendations For Zoho ManageEngine ServiceDesk Plus version 9.3 Build 9317, consider restricting access to the affected API endpoint until a patch is available. As a temporary workaround, avoid using the username variable in the affected API endpoint to minimize the risk of exploitation.