CVE-2023-38343

An XXE (XML external entity injection) vulnerability exists in the CSEP component of Ivanti Endpoint Manager before 2022 SU4. External entity references are enabled in the XML parser configuration. Exploitation of this vulnerability can lead to file disclosure or Server Side Request Forgery.

Published: Sep 21, 2023
Updated: Sep 26, 2023
CVE: CVE-2023-38343
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWEs:

CWE-611

OWASP TOP 10:

A4 - XML External Entities (XXE)

Affected Software
References

Software	From	Fixed in
ivanti / endpoint_manager	2022-su1	2022-su1.x
ivanti / endpoint_manager	-	2022
ivanti / endpoint_manager	2022	2022.x
ivanti / endpoint_manager	2022-su2	2022-su2.x
ivanti / endpoint_manager	2022-su3	2022-su3.x

https://gist.github.com/bhyahoo/4772330b20057a271f77e690bc70f928
https://www.ivanti.com/releases

Vulnerability Database

CVE-2023-38343