Vulnerabilities > CVE-2020-8540 - Server-Side Request Forgery (SSRF) vulnerability in Zohocorp Manageengine Desktop Central

CVSS 9.8 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

zohocorp

CWE-918

critical

NVD

Published: 2020-03-11

Updated: 2021-07-21

Summary

An XML external entity (XXE) vulnerability in Zoho ManageEngine Desktop Central before the 07-Mar-2020 update allows remote unauthenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request.

Vulnerable Configurations

Part	Description	Count
Application	Zohocorp Zohocorp Manageengine Desktop Central - Zohocorp Manageengine Desktop Central 7.0 Zohocorp Manageengine Desktop Central 7.0.0 Zohocorp Manageengine Desktop Central 7.0.1 Zohocorp Manageengine Desktop Central 8.0.0 Zohocorp Manageengine Desktop Central 9.0 Zohocorp Manageengine Desktop Central 9.1.0 Zohocorp Manageengine Desktop Central 10 Zohocorp Manageengine Desktop Central 10.0 Zohocorp Manageengine Desktop Central 10.0.0 Zohocorp Manageengine Desktop Central 10.0.124 Zohocorp Manageengine Desktop Central 10.0.137 Zohocorp Manageengine Desktop Central 10.0.184 Zohocorp Manageengine Desktop Central 10.0.255 Zohocorp Manageengine Desktop Central 10.0.271 Zohocorp Manageengine Desktop Central 10.0.289 Zohocorp Manageengine Desktop Central 10.0.290 Zohocorp Manageengine Desktop Central 10.0.380 Zohocorp Manageengine Desktop Central 10.0.430 Zohocorp Manageengine Desktop Central 10.0.479 Zohocorp Manageengine Desktop Central 10.0.483 Zohocorp Manageengine Desktop Central 10.0.484 Zohocorp Manageengine Desktop Central 10.0.486 Zohocorp Manageengine Desktop Central 10.0.533 Zohocorp Manageengine Desktop Central 10.0.552.W Zohocorp Manageengine Desktop Central 10.0.561 Zohocorp Manageengine Desktop Central 10.0.647 Zohocorp Manageengine Desktop Central 10.1.2119.7 Zohocorp Manageengine Desktop Central 10.1.2127.17 Zohocorp Manageengine Desktop Central 10.1.2127.18 Zohocorp Manageengine Desktop Central 10.1.2128.0 Zohocorp Manageengine Desktop Central 10.1.2137.2 Zohocorp Manageengine Desktop Central 10.1.2137.3 Zohocorp Manageengine Desktop Central 10.1.2137.8 Zohocorp Manageengine Desktop Central 10.1.2137.9	41

Common Weakness Enumeration (CWE)

CWE-918 - Server-Side Request Forgery (SSRF)

References

https://www.manageengine.com/products/desktop-central/xxe-vulnerability.html