CVE-2022-43473

Name of the Vulnerable Software and Affected Versions ManageEngine OpManager version 12.6.168

Description A blind XML External Entity (XXE) vulnerability exists in the Add UCS Device functionality. This issue is related to incorrect restriction of XML links to external objects. Exploitation of this vulnerability may allow a remote attacker to perform a Server-Side Request Forgery (SSRF) attack. A specially crafted XML file can lead to SSRF. An attacker can serve a malicious XML payload to trigger this vulnerability.

Recommendations For ManageEngine OpManager version 12.6.168, consider disabling the Add UCS Device functionality until a patch is available to prevent potential SSRF attacks. Restrict access to the vulnerable functionality to minimize the risk of exploitation. Avoid using malicious XML files in the affected functionality until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.