by adidionxlm

Abstract Advisory Information

Security issue affecting the product DataSecurity Plus.

DataSecurity Plus is a software that helps company to address enterprise’s data security needs regarding Data Discovery, File Server Auditing and Storage Analysis.

2 services exposed by the software allows a basic user (“Operator” access level) to:
– Use service as a relay to perform a discovery operation (machine availability and open ports state) targeting machines located in the same internal network.
– Access the configuration file of the mail server (excepting the password).

Authors: Dominique Righetto

Version affected

Vendor: Manage Engine
Name: DataSecurity Plus
Version: 5.0.1 Build 5011 and previous versions

Common Vulnerability Scoring System



5.0.1 Build 5012


Vulnerability Disclosure Timeline

  • 09/07/2019: vulnerability discovered.
  • 10/07/2019: First Contact to Vendor
  • 06/08/2019: Request for updates, no answers
  • 26/08/2019: Request for updates, no answers
  • 04/09/2019: Request for updates, no answers
  • 12/09/2019: Vendor confirmed the fix creation
  • 26/09/2019: Request for updates, no answers
  • 01/10/2019: Request for updates, no answers
  • 03/10/2019: Fix released by vendor (5012)
  • 03/10/2019: Mitre CVE-ID request CVE-2019-17112.
  • 07/10/2019: Public disclosure