CVE-2018-18980: XEE
First published: Tue Nov 06 2018(Updated: )
An XML External Entity injection (XXE) vulnerability exists in Zoho ManageEngine Network Configuration Manager and OpManager before 12.3.214 via the RequestXML parameter in a /devices/ProcessRequest.do GET request. For example, the attacker can trigger the transmission of local files to an arbitrary remote FTP server.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Zohocorp Manageengine Network Configuration Manager | <12.3.214 | |
| Zohocorp Manageengine Opmanager | <12.3.214 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID?
The vulnerability ID is CVE-2018-18980.
What is the title of the vulnerability?
The title of the vulnerability is 'An XML External Entity injection (XXE) vulnerability exists in Zoho ManageEngine Network Configuration Manager and OpManager before 12.3.214'.
What is XXE?
XML External Entity (XXE) is a type of vulnerability that allows an attacker to read files on the server's filesystem.
How can the vulnerability be exploited?
The vulnerability can be exploited by sending a specially crafted GET request with a malicious XML payload that triggers the XXE vulnerability.
What is the severity of CVE-2018-18980?
The severity of CVE-2018-18980 is high, with a CVSS score of 7.5.