CVE-2023-29443
Severity CVSS v4.0:
Pending analysis
Type:
CWE-611
Improper Restriction of XML External Entity Reference ('XXE')
Publication date:
26/04/2023
Last modified:
03/02/2025
Description
Zoho ManageEngine ServiceDesk Plus before 14105, ServiceDesk Plus MSP before 14200, SupportCenter Plus before 14200, and AssetExplorer before 6989 allow SDAdmin attackers to conduct XXE attacks via a crafted server that sends malformed XML from a Reports integration API endpoint.
Impact
Base Score 3.x
4.90
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:zohocorp:manageengine_assetexplorer:6.9:6980:*:*:*:*:*:* | ||
| cpe:2.3:a:zohocorp:manageengine_assetexplorer:6.9:6981:*:*:*:*:*:* | ||
| cpe:2.3:a:zohocorp:manageengine_assetexplorer:6.9:6982:*:*:*:*:*:* | ||
| cpe:2.3:a:zohocorp:manageengine_assetexplorer:6.9:6983:*:*:*:*:*:* | ||
| cpe:2.3:a:zohocorp:manageengine_assetexplorer:6.9:6984:*:*:*:*:*:* | ||
| cpe:2.3:a:zohocorp:manageengine_assetexplorer:6.9:6985:*:*:*:*:*:* | ||
| cpe:2.3:a:zohocorp:manageengine_assetexplorer:6.9:6986:*:*:*:*:*:* | ||
| cpe:2.3:a:zohocorp:manageengine_assetexplorer:6.9:6987:*:*:*:*:*:* | ||
| cpe:2.3:a:zohocorp:manageengine_assetexplorer:6.9:6988:*:*:*:*:*:* | ||
| cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:*:*:*:*:*:*:*:* | 14.1 (excluding) | |
| cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:14.1:-:*:*:*:*:*:* | ||
| cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:14.1:14100:*:*:*:*:*:* | ||
| cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:14.1:14101:*:*:*:*:*:* | ||
| cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:14.1:14102:*:*:*:*:*:* | ||
| cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:14.1:14103:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page