CVE-2014-5377

Manageengine Device Expert < 5.9 - Information Disclosure

Title source: rule

Description

ReadUsersFromMasterServlet in ManageEngine DeviceExpert before 5.9 build 5981 allows remote attackers to obtain user account credentials via a direct request.

Exploits (2)

exploitdb WORKING POC

by Pedro Ribeiro · textwebappsmultiple

https://www.exploit-db.com/exploits/34449

View Code ZIP pw:eip

metasploit WORKING POC

rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/manageengine_deviceexpert_user_creds.rb

View Code ZIP pw:eip

References (10)

[Exploit] http://packetstormsecurity.com/files/128019/ManageEngine-DeviceExpert-5.9-Credential-Disclosure.html

[Mailing List] http://seclists.org/fulldisclosure/2014/Aug/75

[Exploit] http://seclists.org/fulldisclosure/2014/Aug/76

[Mailing List] http://seclists.org/fulldisclosure/2014/Aug/84

[Exploit] http://www.exploit-db.com/exploits/34449

[Patch] http://www.manageengine.com/products/device-expert/release-notes.html

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/95562

[Exploit] https://raw.githubusercontent.com/pedrib/PoC/master/me_deviceexpert-5.txt

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/archive/1/533250/100/0/threaded

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/69443

Scores

EPSS 0.6764

EPSS Percentile 98.6%

Details

CWE

CWE-200

Status published

Products (1)

manageengine/device_expert < 5.9

Published Sep 04, 2014

Tracked Since Feb 18, 2026