CVE-2018-15656

Name of the Vulnerable Software and Affected Versions 42Gears SureMDM versions prior to 2018-11-27

Description An issue was discovered in the registration API endpoint. An attacker can submit a GET request to "/api/register/:email", where :email is a base64 encoded e-mail address, to receive confirmation as to whether a user account exists in the system with the specified e-mail address. The request must be made with an apiKey value in the ApiKey header.

Recommendations For versions prior to 2018-11-27, consider restricting access to the "/api/register/:email" API endpoint to minimize the risk of exploitation. As a temporary workaround, avoid using the :email parameter in the affected API endpoint until the issue is resolved.