ManageEngine security advisory

Non-login users can extract vendor currency details

Severity : Low

CVE ID : CVE-2022-25245

Product Name	Affected Version(s)	Fixed Version(s)	Fixed On
ServiceDesk Plus	13000 and below	13001	March 9, 2022
AssetExplorer	6970 and below	6971	March 9, 2022

Details

Using the approval login URL, which is used to approve purchase details without a login to the application, non-login users are able to extract vendor currency details.

Impact

Users can extract all vendor currency details without logging in to the application.

Steps to upgrade

Download the latest upgrade pack from the following links for the respective product:
- ServiceDesk Plus - https://www.manageengine.com/products/service-desk/on-premises/migration-sequence.html
- AssetExplorer - https://www.manageengine.com/products/asset-explorer/service-packs.html
Apply the latest build to your existing product installation as per the upgrade pack instructions provided in the above links.

Acknowledgements

This issue was reported by Matt on our bug bounty portal.

Please contact the product support for further details at the below mentioned email addresses:

ServiceDesk Plus: support@servicedeskplus.com

AssetExplorer: assetexplorer-support@manageengine.com

For assistance, call us toll-free at +1.888.720.9500

Security advisory

Non-login users can extract vendor currency details