Cyber Resilience

CVE-2023-29443

Medium

Published: 26 April 2023

Published
26 April 2023
Modified
03 February 2025
KEV Added
Patch
CVSS Score v3.1 4.9 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0583 90.7th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-29443 is a medium-severity Improper Restriction of XML External Entity Reference (CWE-611) vulnerability in Zohocorp Manageengine Assetexplorer. Its CVSS base score is 4.9 (Medium).

Operationally, ranked in the top 9.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Zoho ManageEngine ServiceDesk Plus before version 14105, ServiceDesk Plus MSP before 14200, SupportCenter Plus before 14200, and AssetExplorer before 6989 contain an XML external entity vulnerability. The flaw resides in the Reports integration API endpoint, which processes XML responses from an attacker-controlled server without proper restrictions, allowing SDAdmin users to trigger XXE parsing.

An authenticated SDAdmin attacker can supply a crafted server endpoint that returns malformed XML, enabling the application to retrieve and expose sensitive internal files or resources over the network. The attack requires high privileges and targets confidentiality only, consistent with the CVSS 4.9 rating and CWE-611 classification.

Vendor advisories at https://www.manageengine.com/products/service-desk/CVE-2023-29443.html recommend upgrading the affected products to the fixed releases listed in the description to eliminate the vulnerable XML handling code.

The associated EPSS score has remained flat at 0.0583 with no material increase since disclosure.

EU & UK References

Vulnerability details

Zoho ManageEngine ServiceDesk Plus before 14105, ServiceDesk Plus MSP before 14200, SupportCenter Plus before 14200, and AssetExplorer before 6989 allow SDAdmin attackers to conduct XXE attacks via a crafted server that sends malformed XML from a Reports integration API endpoint.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

zohocorp
manageengine assetexplorer
6.9
zohocorp
manageengine servicedesk plus
14.1 · ≤ 14.1
zohocorp
manageengine servicedesk plus msp
14.0 · ≤ 14.0
zohocorp
manageengine supportcenter plus
14.0 · ≤ 14.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-611

Penetration testing includes XML external entity payloads, detecting XXE vulnerabilities and enabling their mitigation.

addresses: CWE-611

Identifies XML external entity processing via monitoring of unusual file/network access or resource usage.

References