Improper URL parsing & Sensitive log data exposure

This document explains the improper URL parsing and unintended access of sensitive web activity data that has been reported.

Severity - Medium
Update Release build : 11.3.2404.1
Update Release Date : 23-Feb-2024
Reported by: lxxk via ManageEngine Bug bounty program.

What was the problem?

The improperly parsed URL contains user credentials as domain, exposes sensitive information. This data inconsistency is due to sensitive domain details, where a user can access another user's web activity data.

Note: The user log access issue is only within the same system accessed by multiple users.

How do I fix it?

Upgrading to the latest version is strongly advised due to this vulnerability's severity. To upgrade, follow the steps below:

1. Login to the product console, and click on your current build number in the top right corner.
2. You'll be able to find the latest build applicable to you. Download the PPM and update.

For any further questions or concerns on this, please write to our support team.