Lucene search
Piotr Bazydlo (@chudypb) of Trend Micro Zero Day InitiativeZDI-22-1612HistoryNov 21, 2022 - 12:00 a.m.
ManageEngine ServiceDesk Plus getAsDoc XML External Entity Processing Information Disclosure Vulnerability
2022-11-2100:00:00
Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative
www.zerodayinitiative.com
14
xxe vulnerability
manageengine servicedesk plus
sensitive information disclosure
denial-of-service
authentication required
getasdoc function
EPSS
0.001
Percentile
38.5%
This vulnerability allows remote attackers to disclose sensitive information on affected installations of ManageEngine ServiceDesk Plus. Authentication is required to exploit this vulnerability. The specific flaw exists within the getAsDoc function. Due to the improper restriction of XML External Entity (XXE) references, a crafted document specifying a URI causes the XML parser to access the URI and embed the contents back into the XML document for further processing. An attacker can leverage this vulnerability to disclose information in the context of SYSTEM or to create a denial-of-service condition on the system.
Related
nvd
nvd
CVE-2022-40771
2022-11-23 18:15:12
nessus
nessus
ManageEngine AssetExplorer 6.9 Build 6980 XXE
2022-12-02 00:00:00
ManageEngine ServiceDesk Plus MSP < 13.0 Build 13001 XXE
2022-12-02 00:00:00
ManageEngine SupportCenter Plus < 11.0 Build 11026 Multiple Vulnerabilities
2022-12-02 00:00:00
cvelist
cvelist
CVE-2022-40771
2022-11-23 00:00:00
prion
prion
Xxe
2022-11-23 18:15:00
cve
cve
CVE-2022-40771
2022-11-23 18:15:12