CVE-2018-18980

Name of the Vulnerable Software and Affected Versions Zoho ManageEngine Network Configuration Manager and OpManager versions prior to 12.3.214

Description A vulnerability exists that allows for XML External Entity injection (XXE) via the RequestXML parameter in a "/devices/ProcessRequest.do" API endpoint. This can be exploited to transmit local files to an arbitrary remote FTP server.

Recommendations For versions prior to 12.3.214, update to version 12.3.214 or later to resolve the issue. As a temporary workaround, consider restricting access to the /devices/ProcessRequest.do API endpoint until a patch is available. Avoid using the RequestXML parameter in the affected API endpoint until the issue is resolved.