The version of ManageEngine AssetExplorer prior to 6.9 Build 6988 is running on the remote web server. It is, therefore, affected by multiple vulnerabilities, including the following:
– A privilege escalation vulnerability in query reports. This vulnerability allows an attacker to gain access to restricted data in a Postgres database system by utilizing a certain PostgreSQL function in the query, allowing the validation process to be bypassed. (CVE-2023-26600)
– A Denial of Service vulnerability in image upload. This vulnerability allows an attacker to exploit the way an API method allocates memory by sending a small image file with a large size defined in the header, causing the application to crash or become unresponsive. (CVE-2023-26601)
Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.Read More
References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26601http://www.nessus.org/u?e27c2350http://www.nessus.org/u?eb990e39http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26600CVSS3
- Attack Vector
- Attack Complexity
- Privileges Required
- User Interaction
- Scope
- Confidentiality Impact
- Integrity Impact
- Availability Impact
- Network
- Low
- None
- None
- Unchanged
- None
- None
- High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Back to Main
