| Vulnerability Details | |
|---|---|
| Severity | Medium |
| CVE ID | CVE-2023-28340 |
| Affected software versions | Version 16320 and below |
| Fixed Version | Version 16135 to 16139 Version 16213 to 16219 Version 16330 and above |
| Fixed on | 18 Jan 2023 |
When a malicious WSDL URL is provided in Web Service monitor, the URL SOAP response is parsed by an insecure XML parser which lead to XML External Entity (XXE) Vulnerability.
This vulnerability allows Applications Manager to be used for file retrieval, server side request forgery, port scanning, or brute forcing.
Applications Manager version 16330 and above fixes this issue by properly parsing the XML response from the WSDL URL provided by the user.
Update your Applications Manager instance to the latest build using the service pack.
Find out more about CVE-2023-28340 from CVE Directory and NIST NVD.
Da22le.
For clarification or corrections please contact our support team or email us at appmanager-support@manageengine.com