Password Encryption Flaw in ManageEngine ServiceDesk Plus by Zoho
CVE-2011-1509

Currently unrated

Key Information:

Vendor: Manageengine
Status: Servicedesk Plus
Vendor: CVE Published:; 20 September 2011

Summary

The login functionality in ManageEngine ServiceDesk Plus employs the encryptPassword method within Login.js, which utilizes a simplistic Caesar cipher for encrypting passwords stored in cookies. This inadequate encryption approach allows remote attackers to potentially intercept and decrypt sensitive information transmitted over the network, thereby jeopardizing user account security and confidentiality.

References

https://exchange.xforce.ibmcloud.com/vulnerabilities/69841

vdb-entryx_refsource_XF

http://www.securityfocus.com/bid/49636

vdb-entryx_refsource_BID

http://securityreason.com/securityalert/8385

third-party-advisoryx_refsource_SREASON

Timeline

Vulnerability published
Sep 20, 2011
Vulnerability Reserved
Mar 23, 2011