Severity : Low
CVE ID : CVE-2022-25245
Affected software version(s) : 6970
Fixed version(s) : 6971
Fixed on : March 9, 2022
Details
Using the approval login URL, which authorizes purchase details without a login in AssetExplorer, non-login users are able to extract vendor currency details.
Impact
Enables non-users to extract all vendor currency details without logging into the application.
Steps to upgrade
Customers can upgrade to the latest version (6971) using the appropriate migration path listed here.
Please read the upgrade instructions carefully before beginning the upgrade. For assistance, write to assetexplorer-support@manageengine.com, or call us toll-free at +1.888.720.9500.
Acknowledgements
Reported by Matt in our bug bounty portal.