| Vulnerability Details | |
|---|---|
| Impact | CVSS V3 rating: 10 (Critical) |
| Reported | 10 Sept 2018 |
| Fixed | 10 Oct 2018 |
| Affected Builds | Till Build 123208 |
| Fixed in | Build 123214 |
| Overview | XML External Entity in Business view page. |
| Recommended Fix | Upgrade to OpManager Version 12.3.239 or above. |
A XML External Entity injection (XXE) vulnerability was discovered in OpManager before version 12.3.214. This vulnerability occurred via the 'RequestXML' parameter in a /devices/ProcessRequest.do GET request. For example, the attacker can trigger the transmission of local files to an arbitrary remote FTP server. We recommend that you upgrade to OpManager Version 12.3.214 or above to fix this issue.
Source and Acknowledgements
Find out more about CVE-2018-18980 from the CVE dictionary.
For clarification or corrections please contact our support team or email us at opmanager-support@manageengine.com.