Abstract Advisory Information
ManageEngine AssetExplorer 6.2.0 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.
Authors: Dominique Righetto
The vulnerability was reported before by another researcher but Zoho did not ask for a CVE-ID and did not provide the name of the reporter for this advisory.
Version affected
Name: AssetExplorer
Versions: 6.2.0
Common Vulnerability Scoring System
8.5
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:H
Patches
None
References
None
Vulnerability Disclosure Timeline
- 11/05/2019 Vulnerability identification
- 14/05/2019: First contact with the vendor
- 20/05/2019: Confirmed as duplicate by the vendor, CVE asked
- 11/06/2019: Reminder for CVE to vendor
- 28/06/2019: Reminder for CVE to vendor
- 06/08/2019: CVE assigned by Mitre
- 06/08/2019: Public disclosure
