← Back

CVE-2023-29443

nvd nist
Published: Apr 26, 2023Modified: Feb 3, 2025

JSON object

Loading...
4.9
Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Exploitability: 1.2 / Impact: 3.6
Source: NVD

Description

Zoho ManageEngine ServiceDesk Plus before 14105, ServiceDesk Plus MSP before 14200, SupportCenter Plus before 14200, and AssetExplorer before 6989 allow SDAdmin attackers to conduct XXE attacks via a crafted server that sends malformed XML from a Reports integration API endpoint.

Affected (22)

Zohocorp
4 products
Manageengine Assetexplorer
Manageengine Servicedesk Plus
Manageengine Servicedesk Plus Msp
Manageengine Supportcenter Plus
Configuration A
22 vulnerable
Vulnerable SoftwareAffected Versions
Zohocorp
Manageengine Assetexplorer
Version 6.9 6980
Manageengine Assetexplorer
Version 6.9 6981
Manageengine Assetexplorer
Version 6.9 6982
Manageengine Assetexplorer
Version 6.9 6983
Manageengine Assetexplorer
Version 6.9 6984
Manageengine Assetexplorer
Version 6.9 6985
Manageengine Assetexplorer
Version 6.9 6986
Manageengine Assetexplorer
Version 6.9 6987
Manageengine Assetexplorer
Version 6.9 6988
Zohocorp
Manageengine Servicedesk Plus
Before 14.1
Manageengine Servicedesk Plus
Version 14.1
Manageengine Servicedesk Plus
Version 14.1 14100
Manageengine Servicedesk Plus
Version 14.1 14101
Manageengine Servicedesk Plus
Version 14.1 14102
Manageengine Servicedesk Plus
Version 14.1 14103
Manageengine Servicedesk Plus
Version 14.1 14104
Zohocorp
Manageengine Servicedesk Plus Msp
Before 14.0
Manageengine Servicedesk Plus Msp
Version 14.0 14000
Manageengine Servicedesk Plus Msp
Version 14.0 14001
Zohocorp
Manageengine Supportcenter Plus
Before 14.0
Manageengine Supportcenter Plus
Version 14.0 14000
Manageengine Supportcenter Plus
Version 14.0 14001

Related CWEs

CWE-611
Improper Restriction of XML External Entity Reference
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

References (2)

Source: cve@mitre.org
Vendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory

Timeline

No history available yet.