usd-2021-0015 | Password Manager Pro

Advisory ID: usd-2021-0015
CVE Number: CVE-2021-33617
Affected Product: Password Manager Pro
Affected Version: < Version 11.2 Build 11200 (Major)
Vulnerability Type: User Enumeration (CWE-203: Observable Discrepancy)
Security Risk: Low
Vendor URL: https://www.manageengine.com/products/passwordmanagerpro/ 
Vendor Status: Fixed

Description

The ManageEngine Password Manager Pro web application allows the determination of valid logon names. This can be achieved by passing either an existing or non-existing user name to the application and view its corresponding response.

User Enumeration vulnerabilities occur if observable discrepancies of an application’s behavior allow to determine whether an user account is existent within an application. Such vulnerabilities can be often exploited to generate a list of valid logon names, potentially acting as foothold for further attacks.

The Password Manager Pro exposes an endpoint that enables an unauthenticated malicious actor to determine whether an userName is existent within the application.

Proof of Concept (PoC)

The Password Manager Pro exposes an endpoint that responds with different contents if a userName parameter at https://example.com/login/AjaxResponse.jsp?RequestType=GetUserDomainName&userName=[VALUE] holds an existing user name or not.

1. Non-existent user: https://example.com/login/AjaxResponse.jsp?RequestType=GetUserDomainName&userName=non.existent

2.Existing user: https://example.com/login/AjaxResponse.jsp?RequestType=GetUserDomainName&userName=max.mustermann