SB2023082332 - Multiple vulnerabilities in ManageEngine AssetExplorer

Description

This security bulletin contains information about 5 secuirty vulnerabilities.

1) Cleartext storage of sensitive information (CVE-ID: N/A)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to software stores passwords in clear text in in backup scheduling feature. A local user can gain access to sensitive information.

2) Information disclosure (CVE-ID: N/A)

The vulnerability allows a remote user to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output in the reports feature. A remote user can gain unauthorized access to sensitive information on the system.

3) Inclusion of Sensitive Information in Log Files (CVE-ID: N/A)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to software stores sensitive information into log files. A local user can read the log files and gain access to sensitive data.

4) Improper Authentication (CVE-ID: N/A)

The vulnerability allows a remote user to bypass authentication process.

The vulnerability exists due to an error when handling second authentication factor. A remote user can bypass 2FA authentication process and gain unauthorized access to the application.

5) Resource exhaustion (CVE-ID: N/A)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources. A remote user can upload an arbitrary number of large images to the system and perform a denial of service attack.

Remediation

Install update from vendor's website.

References

• https://www.manageengine.com/products/asset-explorer/sp-readme.html#6988