CVE-2023-29443

Zoho ManageEngine ServiceDesk Plus before 14105, ServiceDesk Plus MSP before 14200, SupportCenter Plus before 14200, and AssetExplorer before 6989 allow SDAdmin attackers to conduct XXE attacks via a crafted server that sends malformed XML from a Reports integration API endpoint.

Published: Apr 26, 2023
Updated: Jun 27, 2023
CVE: CVE-2023-29443
Severity: Low
Exploit:

CVSS v3:

Severity: Low
Score: 4.9
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

CWEs:

CWE-611

OWASP TOP 10:

A4 - XML External Entities (XXE)

Affected Software
References

Software	From	Fixed in
zohocorp / manageengine_assetexplorer	6.9-6980	6.9-6980.x
zohocorp / manageengine_assetexplorer	6.9-6981	6.9-6981.x
zohocorp / manageengine_assetexplorer	6.9-6982	6.9-6982.x
zohocorp / manageengine_assetexplorer	6.9-6986	6.9-6986.x
zohocorp / manageengine_assetexplorer	6.9-6987	6.9-6987.x
zohocorp / manageengine_assetexplorer	6.9-6988	6.9-6988.x
zohocorp / manageengine_assetexplorer	6.9-6983	6.9-6983.x
zohocorp / manageengine_assetexplorer	6.9-6984	6.9-6984.x
zohocorp / manageengine_assetexplorer	6.9-6985	6.9-6985.x
zohocorp / manageengine_servicedesk_plus	14.1-14101	14.1-14101.x
zohocorp / manageengine_servicedesk_plus	14.1-14102	14.1-14102.x
zohocorp / manageengine_servicedesk_plus	14.1-14103	14.1-14103.x
zohocorp / manageengine_servicedesk_plus	-	14.1
zohocorp / manageengine_servicedesk_plus	14.1-14100	14.1-14100.x
zohocorp / manageengine_servicedesk_plus	14.1	14.1.x
zohocorp / manageengine_servicedesk_plus_msp	14.0-14000	14.0-14000.x
zohocorp / manageengine_servicedesk_plus_msp	-	14.0
zohocorp / manageengine_supportcenter_plus	14.0-14000	14.0-14000.x
zohocorp / manageengine_supportcenter_plus	-	14.0
zohocorp / manageengine_servicedesk_plus_msp	14.0-14001	14.0-14001.x
zohocorp / manageengine_servicedesk_plus	14.1-14104	14.1-14104.x
zohocorp / manageengine_supportcenter_plus	14.0-14001	14.0-14001.x

https://www.manageengine.com/products/service-desk/CVE-2023-29443.html

Vulnerability Database

289,697

CVE-2023-29443