PT-2023-22266 · Zoho · Servicedesk Plus Msp+3
Minhgalaxy
·
Published
2023-04-26
·
Updated
2025-02-03
·
CVE-2023-29443
CVSS v3.1
4.9
Medium
| Vector | AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Zoho ManageEngine ServiceDesk Plus versions prior to 14105
ServiceDesk Plus MSP versions prior to 14200
SupportCenter Plus versions prior to 14200
AssetExplorer versions prior to 6989
Description
The issue allows attackers with SDAdmin privileges to conduct XXE attacks by sending malformed XML from a crafted server to a "Reports integration API endpoint". This enables them to exploit the vulnerability.
Recommendations
For Zoho ManageEngine ServiceDesk Plus versions prior to 14105, update to version 14105 or later.
For ServiceDesk Plus MSP versions prior to 14200, update to version 14200 or later.
For SupportCenter Plus versions prior to 14200, update to version 14200 or later.
For AssetExplorer versions prior to 6989, update to version 6989 or later.
Fix
XXE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Assetexplorer
Servicedesk Plus Msp
Supportcenter Plus
Zoho Manageengine Servicedesk Plus