CVE-2019-12959 | Cyber Solutions By Thales

Abstract Advisory Information

A service exposed by the software allows to a basic user to perform a Server Side Request Forgery attack. This attack can also leveraged via a CSRF attack.

Author: Dominique Righetto

Version affected

Name : AssetExplorer

Product version: 6.2.0

Common Vulnerability Scoring System

5.0

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

Patches

The vulnerability is patched in version 6.5 Build 6502

References

https://www.manageengine.com/products/asset-explorer/sp-readme.html

Vulnerability Disclosure Timeline

04-05-2019: Vulnerability identification
06-05-2019: First contact with the vendor
06-05-2019: Acknowledge from the vendor
24-06-2019: Vulnerability patched by vendor
25-06-2019: CVE assigned by Mitre
17-07-2019: Patch release by vendor
06-08-2019: Public disclosure