User Enumeration Vulnerability in Zoho ManageEngine Password Manager Pro
CVE-2021-33617

5.3MEDIUM

Key Information:

Vendor

Zohocorp
Status
Manageengine Password Manager Pro
Vendor
CVE Published:
31 July 2021

What is CVE-2021-33617?

The vulnerability in Zoho ManageEngine Password Manager Pro allows attackers to determine whether a username exists in the system by analyzing the responses to failed login attempts. Specifically, when a login attempt is made with an invalid username, the system provides a null response. This can allow malicious actors to enumerate valid usernames, potentially leading to further attacks such as account takeover or unauthorized access to sensitive information.

References

https://www.manageengine.com
x_refsource_MISC
https://www.manageengine.com/products/passwordmanagerpro/...
x_refsource_MISC
https://herolab.usd.de/security-advisories/usd-2021-0015/
x_refsource_MISC

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.