Overview
The Zenprise Device Manager software is susceptible to a cross-site request forgery (CSRF) vulnerability that may result in the compromise of the fleet of mobile devices managed by the product.
Description
Zenprise Device Manager is a mobile device management (MDM) software package that can be used to manage an enterprise's mobile device fleet. The Zenprise Device manager web interface is vulnerable to cross-site request forgery (CSRF) attacks. A successful CSRF attack against an admin user will allow a remote attacker to run commands as the admin user on any device managed by Zenprise Device Manager. |
Impact
By tricking a logged in admin user to visit a specially crafted URL, a remote attacker may be able to access any managed device as the admin. The attacker can then perform any action an admin can, including remotely wiping the device. |
Solution
Apply an update Zenprise has released a patch to address this issue. Current customers can find more information about this vulnerability and patch on the Zenprise customer center. |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
Acknowledgements
Thanks to Laurent Oudot of TEHTRI-Security for reporting this vulnerability.
This document was written by Jared Allar.
Other Information
| CVE IDs: | None |
| Severity Metric: | 0.89 |
| Date Public: | 2011-11-18 |
| Date First Published: | 2011-11-18 |
| Date Last Updated: | 2012-08-03 20:53 UTC |
| Document Revision: | 18 |