CVE-2023-29443
Published: 26 April 2023
Summary
CVE-2023-29443 is a medium-severity Improper Restriction of XML External Entity Reference (CWE-611) vulnerability in Zohocorp Manageengine Assetexplorer. Its CVSS base score is 4.9 (Medium).
Operationally, ranked in the top 9.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Zoho ManageEngine ServiceDesk Plus before version 14105, ServiceDesk Plus MSP before 14200, SupportCenter Plus before 14200, and AssetExplorer before 6989 contain an XML external entity vulnerability. The flaw resides in the Reports integration API endpoint, which processes XML responses from an attacker-controlled server without proper restrictions, allowing SDAdmin users to trigger XXE parsing.
An authenticated SDAdmin attacker can supply a crafted server endpoint that returns malformed XML, enabling the application to retrieve and expose sensitive internal files or resources over the network. The attack requires high privileges and targets confidentiality only, consistent with the CVSS 4.9 rating and CWE-611 classification.
Vendor advisories at https://www.manageengine.com/products/service-desk/CVE-2023-29443.html recommend upgrading the affected products to the fixed releases listed in the description to eliminate the vulnerable XML handling code.
The associated EPSS score has remained flat at 0.0583 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-33012
Vulnerability details
Zoho ManageEngine ServiceDesk Plus before 14105, ServiceDesk Plus MSP before 14200, SupportCenter Plus before 14200, and AssetExplorer before 6989 allow SDAdmin attackers to conduct XXE attacks via a crafted server that sends malformed XML from a Reports integration API endpoint.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.