Security Updates

CVE-2023-22624 – XXE Vulnerability in Exchange Reporter Plus

Vulnerability Details
Severity High Severity
CVE ID CVE-2023-22624
Affected software versions Builds 5707 and below
Fixed version Build 5708
Fixed on 10 January 2023

Details

CVE-2023-22624 refers to a vulnerable API reported in ManageEngine Exchange Reporter Plus that was vulnerable to XML external entity injection (XXE) attacks.

We have now released Exchange Reporter Plus, build 5708, that fixes the issue by removing that API.

Impact

By sending a specially crafted malformed request under specific circumstances, a remote attacker can cause XXE attacks and read system files, due to the use of this vulnerable API.

Steps to update

Update your Exchange Reporter Plus to 5708 using the service pack.

Acknowledgements

This issue was reported by KyoDream through the Zoho BugBounty program.

Exchange Reporter Plus trusted by

A single pane of glass for Exchange Server Monitoring, Reporting and Auditing