CVE-2023-29443

Zoho ManageEngine ServiceDesk Plus before 14105, ServiceDesk Plus MSP before 14200, SupportCenter Plus before 14200, and AssetExplorer before 6989 allow SDAdmin attackers to conduct XXE attacks via a crafted server that sends malformed XML from a Reports integration API endpoint.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
4.9 MEDIUM
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
mitreCNA
---
---
CVEADP
---
---
CISA-ADPADP
4.9 MEDIUM
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 61%
VendorProductVersion
zohocorpmanageengine_assetexplorer
6.9:6980
zohocorpmanageengine_assetexplorer
6.9:6981
zohocorpmanageengine_assetexplorer
6.9:6982
zohocorpmanageengine_assetexplorer
6.9:6983
zohocorpmanageengine_assetexplorer
6.9:6984
zohocorpmanageengine_assetexplorer
6.9:6985
zohocorpmanageengine_assetexplorer
6.9:6986
zohocorpmanageengine_assetexplorer
6.9:6987
zohocorpmanageengine_assetexplorer
6.9:6988
zohocorpmanageengine_servicedesk_plus
𝑥
< 14.1
zohocorpmanageengine_servicedesk_plus
14.1
zohocorpmanageengine_servicedesk_plus
14.1:14100
zohocorpmanageengine_servicedesk_plus
14.1:14101
zohocorpmanageengine_servicedesk_plus
14.1:14102
zohocorpmanageengine_servicedesk_plus
14.1:14103
zohocorpmanageengine_servicedesk_plus
14.1:14104
zohocorpmanageengine_servicedesk_plus_msp
𝑥
< 14.0
zohocorpmanageengine_servicedesk_plus_msp
14.0:14000
zohocorpmanageengine_servicedesk_plus_msp
14.0:14001
zohocorpmanageengine_supportcenter_plus
𝑥
< 14.0
zohocorpmanageengine_supportcenter_plus
14.0:14000
zohocorpmanageengine_supportcenter_plus
14.0:14001
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://www.manageengine.com/products/service-desk/CVE-2023-29443.html
https://www.manageengine.com/products/service-desk/CVE-2023-29443.html