Zoho ManageEngine ServiceDesk Plus MSP before 10519 is vulnerable to a User Enumeration bug due to improper error-message generation in the Forgot Password functionality, aka SDPMSP-15732.
The product generates an error message that includes sensitive information about its environment, users, or associated data.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Manageengine_servicedesk_plus_msp | Zohocorp | 8.0 (including) | 9.4 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-10500 (including) | 10.5-10500 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-10501 (including) | 10.5-10501 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-10502 (including) | 10.5-10502 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-10503 (including) | 10.5-10503 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-10504 (including) | 10.5-10504 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-10505 (including) | 10.5-10505 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-10506 (including) | 10.5-10506 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-10507 (including) | 10.5-10507 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-10508 (including) | 10.5-10508 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-10509 (including) | 10.5-10509 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-10510 (including) | 10.5-10510 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-10511 (including) | 10.5-10511 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-10512 (including) | 10.5-10512 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-10513 (including) | 10.5-10513 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-10514 (including) | 10.5-10514 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-10515 (including) | 10.5-10515 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-10516 (including) | 10.5-10516 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-10517 (including) | 10.5-10517 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-10518 (including) | 10.5-10518 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-8000 (including) | 10.5-8000 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-8001 (including) | 10.5-8001 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-8002 (including) | 10.5-8002 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-8003 (including) | 10.5-8003 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-8004 (including) | 10.5-8004 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-8100 (including) | 10.5-8100 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-8101 (including) | 10.5-8101 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-8102 (including) | 10.5-8102 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-8103 (including) | 10.5-8103 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-8104 (including) | 10.5-8104 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-8105 (including) | 10.5-8105 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-8200 (including) | 10.5-8200 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-8201 (including) | 10.5-8201 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-8202 (including) | 10.5-8202 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-8203 (including) | 10.5-8203 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-8204 (including) | 10.5-8204 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-8205 (including) | 10.5-8205 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-8206 (including) | 10.5-8206 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-8207 (including) | 10.5-8207 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-8208 (including) | 10.5-8208 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-8209 (including) | 10.5-8209 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-8210 (including) | 10.5-8210 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-8211 (including) | 10.5-8211 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-8300 (including) | 10.5-8300 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-8301 (including) | 10.5-8301 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-8302 (including) | 10.5-8302 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-8303 (including) | 10.5-8303 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-8304 (including) | 10.5-8304 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-8305 (including) | 10.5-8305 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-8306 (including) | 10.5-8306 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-8307 (including) | 10.5-8307 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-8308 (including) | 10.5-8308 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-8309 (including) | 10.5-8309 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-8310 (including) | 10.5-8310 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-8311 (including) | 10.5-8311 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-8312 (including) | 10.5-8312 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-9000 (including) | 10.5-9000 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-9001 (including) | 10.5-9001 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-9002 (including) | 10.5-9002 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-9003 (including) | 10.5-9003 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-9004 (including) | 10.5-9004 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-9005 (including) | 10.5-9005 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-9006 (including) | 10.5-9006 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-9007 (including) | 10.5-9007 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-9008 (including) | 10.5-9008 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-9009 (including) | 10.5-9009 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-9201 (including) | 10.5-9201 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-9203 (including) | 10.5-9203 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-9204 (including) | 10.5-9204 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-9205 (including) | 10.5-9205 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-9206 (including) | 10.5-9206 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-9207 (including) | 10.5-9207 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-9208 (including) | 10.5-9208 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-9209 (including) | 10.5-9209 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-9210 (including) | 10.5-9210 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-9300 (including) | 10.5-9300 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-9301 (including) | 10.5-9301 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-9302 (including) | 10.5-9302 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-9303 (including) | 10.5-9303 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-9304 (including) | 10.5-9304 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-9305 (including) | 10.5-9305 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-9306 (including) | 10.5-9306 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-9307 (including) | 10.5-9307 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-9308 (including) | 10.5-9308 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-9400 (including) | 10.5-9400 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-9401 (including) | 10.5-9401 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-9402 (including) | 10.5-9402 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-9403 (including) | 10.5-9403 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-9404 (including) | 10.5-9404 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-9405 (including) | 10.5-9405 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-9406 (including) | 10.5-9406 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-9407 (including) | 10.5-9407 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-9408 (including) | 10.5-9408 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-9409 (including) | 10.5-9409 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-9410 (including) | 10.5-9410 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-9411 (including) | 10.5-9411 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-9412 (including) | 10.5-9412 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-9413 (including) | 10.5-9413 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-9414 (including) | 10.5-9414 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-9415 (including) | 10.5-9415 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-9416 (including) | 10.5-9416 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-9417 (including) | 10.5-9417 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-9418 (including) | 10.5-9418 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-9419 (including) | 10.5-9419 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-9420 (including) | 10.5-9420 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-9421 (including) | 10.5-9421 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-9422 (including) | 10.5-9422 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-9423 (including) | 10.5-9423 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-9424 (including) | 10.5-9424 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-9425 (including) | 10.5-9425 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-9426 (including) | 10.5-9426 (including) |
| Manageengine_servicedesk_plus_msp | Zohocorp | 10.5-9427 (including) | 10.5-9427 (including) |
The sensitive information may be valuable information on its own (such as a password), or it may be useful for launching other, more serious attacks. The error message may be created in different ways:
An attacker may use the contents of error messages to help launch another, more focused attack. For example, an attempt to exploit a path traversal weakness (CWE-22) might yield the full pathname of the installed application. In turn, this could be used to select the proper number of “..” sequences to navigate to the targeted file. An attack using SQL injection (CWE-89) might not initially succeed, but an error message could reveal the malformed query, which would expose query logic and possibly even passwords or other sensitive information used within the query.