Abstract Advisory Information
ManageEngine AssetExplorer 6.2.0 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.
Authors: Dominique Righetto
The vulnerability was reported before by another researcher but Zoho did not ask for a CVE-ID and did not provide the name of the reporter for this advisory.
Common Vulnerability Scoring System
Vulnerability Disclosure Timeline
- 11/05/2019 Vulnerability identification
- 14/05/2019: First contact with the vendor
- 20/05/2019: Confirmed as duplicate by the vendor, CVE asked
- 11/06/2019: Reminder for CVE to vendor
- 28/06/2019: Reminder for CVE to vendor
- 06/08/2019: CVE assigned by Mitre
- 06/08/2019: Public disclosure