CVE-2018-18980
HIGHManageEngine Network Configuration Manager & OpManager < 12.3.214 - XXE via RequestXML
Title source: llmDescription
An XML External Entity injection (XXE) vulnerability exists in Zoho ManageEngine Network Configuration Manager and OpManager before 12.3.214 via the RequestXML parameter in a /devices/ProcessRequest.do GET request. For example, the attacker can trigger the transmission of local files to an arbitrary remote FTP server.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_misc
https://www.manageengine.com/network-monitoring/help/read-me.html
Exploit, Third Party Advisory x_refsource_misc
https://github.com/x-f1v3/ForCve/issues/5
Scores
CVSS v3
7.5
EPSS
0.3051
EPSS Percentile
96.8%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Details
CWE
CWE-611
Status
published
Products (2)
zohocorp/manageengine_network_configuration_manager
< 12.3.214
zohocorp/manageengine_opmanager
< 12.3.214
Published
Nov 06, 2018
Tracked Since
Feb 18, 2026