Vulnerability Key Information CVE ID: CVE-2022-25245 Vulnerability Type: ManageEngine Asset Explorer Information Disclosure Affected Versions: Manage Engine Asset Explorer Plus 6.9 Build 6970 Remediation: Upgrade to ManageEngine Asset Explorer Version 6.9 Build 6971 or later Vulnerability Severity: Low — only discloses the currency used by the current vendor, but may allow inference of other information such as vendor location Proof of Concept The information disclosure occurs in the when the request action is and no authentication is required, allowing retrieval of the vendor's currency: If no currency is specified for the vendor, the response returns a dollar sign ( ); otherwise, it returns the specific currency symbol used by the vendor. Disclosure Timeline February 14, 2022 — Vulnerability reported to Zoho February 15, 2022 — Zoho begins investigation February 16, 2022 — CVE-2022-25245 assigned March 9, 2022 — Zoho releases patched version 6.9 Build 6971 Related Links MITRE CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25245 NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-25245