CVE-2021-33617

moderate-risk
Published 2021-07-31

Zoho ManageEngine Password Manager Pro before 11.2 11200 allows login/AjaxResponse.jsp?RequestType=GetUserDomainName&userName= username enumeration, because the response (to a failed login request) is null only when the username is invalid.

Do I need to act?

-
0.48% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.3/10 Medium
NETWORK / LOW complexity

Affected Products (2)

Affected Vendors

Zohocorp

References (6)

Exploit https://herolab.usd.de/security-advisories/usd-2021-0015/
Vendor Advisory https://www.manageengine.com
Release Notes https://www.manageengine.com/products/passwordmanagerpro/release-notes.html#pmp1...
Exploit https://herolab.usd.de/security-advisories/usd-2021-0015/
Vendor Advisory https://www.manageengine.com
Release Notes https://www.manageengine.com/products/passwordmanagerpro/release-notes.html#pmp1...
30
/ 100
moderate-risk
Severity 21/34 · High
Exploitability 2/34 · Minimal
Exposure 7/34 · Low