XXE Vulnerability in Zoho ManageEngine Exchange Reporter Plus
CVE-2023-22624

7.5HIGH

Key Information:

Vendor: Zohocorp
Status: Manageengine Exchange Reporter Plus
Vendor: CVE Published:; 17 January 2023

What is CVE-2023-22624?

The vulnerability in Zoho ManageEngine Exchange Reporter Plus prior to version 5708 allows attackers to perform XML External Entity (XXE) attacks. This flaw potentially exposes sensitive data and leads to unauthorized access to internal network resources. Attackers can exploit this weakness to manipulate XML input, which could result in the disclosure of confidential information and compromise the security of the application.

References

https://www.manageengine.com/products/exchange-reports/ad...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 17, 2023
Vulnerability Reserved
Jan 5, 2023

Zohocorp

What is CVE-2023-22624?

References

CVSS V3.1

Timeline