CVE-2022-23779

Name of the Vulnerable Software and Affected Versions Zoho ManageEngine Desktop Central versions prior to 10.1.2137.8

Description The issue allows the exposure of the installed server name to anyone, enabling the discovery of the internal hostname by reading HTTP redirect responses. This can be achieved by analyzing the Location HTTP response header. The estimated number of potentially affected devices worldwide is not specified.

Recommendations For versions prior to 10.1.2137.8, update to version 10.1.2137.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the /themes API endpoint until a patch is available. Avoid analyzing the Location HTTP response header in the HTTP redirect response for the affected endpoint until the issue is resolved.