CVE-2023-38343

An XXE (XML external entity injection) vulnerability exists in the CSEP component of Ivanti Endpoint Manager before 2022 SU4. External entity references are enabled in the XML parser configuration. Exploitation of this vulnerability can lead to file disclosure or Server Side Request Forgery.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
mitreCNA
---
---
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 63%
VendorProductVersion
ivantiendpoint_manager
𝑥
< 2022
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://gist.github.com/bhyahoo/4772330b20057a271f77e690bc70f928
https://www.ivanti.com/releases
https://gist.github.com/bhyahoo/4772330b20057a271f77e690bc70f928
https://www.ivanti.com/releases