CVE-2022-40771

Vulnerability

Zoho ManageEngine ServiceDesk Plus (versions 14000 and below), ServiceDesk Plus MSP (13000 and below), SupportCenter Plus (11025 and below), and AssetExplorer (6980 and below) are vulnerable to an XML External Entity (XXE) injection vulnerability when integrating with Analytics Plus. The vulnerability arises because the product does not properly restrict XML parsing when processing responses from an Analytics Plus server, allowing an attacker to inject malicious XML entities [2].

Exploitation

Exploitation requires an attacker to have admin role access to the affected product. The attacker can set up a malicious Analytics Plus server and configure the product to integrate with it. When the product processes the XML response from the malicious server, an external entity reference is resolved, enabling the attacker to read arbitrary files from the server filesystem [2].

Impact

Successful exploitation allows an attacker with admin privileges to retrieve local files from the server running the affected product. This leads to information disclosure of sensitive data such as configuration files, credentials, or other confidential information stored on the server [2].

Mitigation

Zoho has released fixed versions: ServiceDesk Plus 14001 (October 14, 2022), ServiceDesk Plus MSP 13001 (October 27, 2022), SupportCenter Plus 11026 (October 28, 2022), and AssetExplorer 6981 (October 13, 2022). Users should upgrade to the latest build as per the upgrade pack instructions provided in the advisory [2]. No workaround is documented.