Headline
CVE-2022-43473: Security Updates - CVE-2022-43473 | ManageEngine OpManager
A blind XML External Entity (XXE) vulnerability exists in the Add UCS Device functionality of ManageEngine OpManager 12.6.168. A specially crafted XML file can lead to SSRF. An attacker can serve a malicious XML payload to trigger this vulnerability.
XML External Entity (XXE) Vulnerability - CVE-2022-43473
Severity: Medium
CVE ID: CVE-2022-43473
Product name
Affected Version(s)
Fixed Version(s)
Fixed On
OpManager
OpManager Plus
OpManager MSP
126168 and below
126141
28-12-2022
126154 / 126169
30-12-2022
Details:
OpManager : Previously, there was an XML External Entity (XXE) vulnerability in UCS module. It has been fixed now.
This issue has been fixed by disabling XML entities while parsing XML response, because of which XML entities will not be invoked.
Impact:
Exploiting XMLs with vulnerable XML entity lead to the access of restricted resources.
Steps to upgrade:
- Kindly download the latest upgrade pack from here.
- Apply the latest build to your existing product installation as per the upgrade pack instructions provided in the above step.
Source and Acknowledgements
This vulnerability was reported by Cisco Talos-Marcin Noga. Find out more about CVE-2022-43473 from the CVE dictionary.
Kindly contact our product support team for further details, at the below mentioned email address:
- OpManager: [email protected]
Related news
XXE attacks allow an adversary to interact with other backend or external systems that OpManager accesses.