CVE-2023-35786: Mitigate XXE Vulnerability in ADManager Plus | CVE

XXE vulnerability - ManageEngine ADManager Plus

Vulnerability Details

Severity

Low

CVE ID

CVE- 2023-35786

Affected software versions

Build 7182 and older

Fixed version

Build 7183

Fixed on

March 15, 2023

Details

ADManager Plus builds 7182 and older were reported to have an authenticated XML external entity injection vulnerability. This has been fixed in the build 7183; its release notes can be found here.

Impact

Authenticated administrators were able to perform XXE attacks and view files in servers running the affected product versions.

Steps to update

Update your ADManager Plus instance to its latest build by installing the service pack.

Acknowledgement

This issue was reported by r00t4dm via Zoho’s Bug Bounty program.

Select a language to translate the contents of this web page: