CVE-2023-28340
Published: 11 April 2023
Summary
CVE-2023-28340 is a medium-severity Improper Restriction of XML External Entity Reference (CWE-611) vulnerability in Zohocorp Manageengine Applications Manager. Its CVSS base score is 6.5 (Medium).
Operationally, ranked in the top 7.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Zoho ManageEngine Applications Manager through version 16320 contains an XML External Entity vulnerability, identified as CVE-2023-28340 and assigned CWE-611. The flaw received a CVSS 3.1 base score of 6.5 reflecting a network attack vector, low attack complexity, and high privileges required, with impacts limited to confidentiality and integrity.
An authenticated administrator can supply malicious XML content to conduct an XXE attack, enabling unauthorized disclosure or modification of files and internal resources accessible to the application. No user interaction is needed for successful exploitation.
Vendor advisories hosted on manageengine.com direct administrators to apply the security updates listed for CVE-2023-28340, which address the issue in the affected product versions.
The associated EPSS score has remained flat at 0.0767 with no material rise after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-32038
Vulnerability details
Zoho ManageEngine Applications Manager through 16320 allows the admin user to conduct an XXE attack.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.