CVE-2023-29443 — MEDIUM (4.9)

Q: How severe is CVE-2023-29443?

CVE-2023-29443 has been rated MEDIUM with a CVSS base score of 4.9/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2023-29443?

Check the references section above for vendor advisories and patch information. Affected products include: Zohocorp Manageengine Assetexplorer, Zohocorp Manageengine Servicedesk Plus, Zohocorp Manageengine Servicedesk Plus Msp, Zohocorp Manageengine Supportcenter Plus.

Vulnerability Description

Zoho ManageEngine ServiceDesk Plus before 14105, ServiceDesk Plus MSP before 14200, SupportCenter Plus before 14200, and AssetExplorer before 6989 allow SDAdmin attackers to conduct XXE attacks via a crafted server that sends malformed XML from a Reports integration API endpoint.

CVSS Score

4.9

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Zohocorp	Manageengine Assetexplorer	6.9
Zohocorp	Manageengine Servicedesk Plus	< 14.1
Zohocorp	Manageengine Servicedesk Plus Msp	< 14.0
Zohocorp	Manageengine Supportcenter Plus	< 14.0

Related Weaknesses (CWE)

CWE-611

References

https://www.manageengine.com/products/service-desk/CVE-2023-29443.htmlVendor Advisory
https://www.manageengine.com/products/service-desk/CVE-2023-29443.htmlVendor Advisory

FAQ

What is CVE-2023-29443?

CVE-2023-29443 is a vulnerability with a CVSS score of 4.9 (MEDIUM). Zoho ManageEngine ServiceDesk Plus before 14105, ServiceDesk Plus MSP before 14200, SupportCenter Plus before 14200, and AssetExplorer before 6989 allow SDAdmin attackers to conduct XXE attacks via a ...

How severe is CVE-2023-29443?

CVE-2023-29443 has been rated MEDIUM with a CVSS base score of 4.9/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2023-29443?

Check the references section above for vendor advisories and patch information. Affected products include: Zohocorp Manageengine Assetexplorer, Zohocorp Manageengine Servicedesk Plus, Zohocorp Manageengine Servicedesk Plus Msp, Zohocorp Manageengine Supportcenter Plus.