Vulnerabilities > CVE-2020-8540 - XXE vulnerability in Zohocorp Manageengine Desktop Central

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

PARTIAL

network

low complexity

zohocorp

CWE-611

NVD

Published: 2020-03-11

Updated: 2021-07-21

Summary

An XML external entity (XXE) vulnerability in Zoho ManageEngine Desktop Central before the 07-Mar-2020 update allows remote unauthenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request.

Vulnerable Configurations

Part	Description	Count
Application	Zohocorp Zohocorp Manageengine Desktop Central - Zohocorp Manageengine Desktop Central 7.0 Zohocorp Manageengine Desktop Central 7.0.0 Zohocorp Manageengine Desktop Central 7.0.1 Zohocorp Manageengine Desktop Central 8.0.0 Zohocorp Manageengine Desktop Central 9.0 Zohocorp Manageengine Desktop Central 9.1.0 Zohocorp Manageengine Desktop Central 10 Zohocorp Manageengine Desktop Central 10.0.0 Zohocorp Manageengine Desktop Central 10.0.124 Zohocorp Manageengine Desktop Central 10.0.184 Zohocorp Manageengine Desktop Central 10.0.271 Zohocorp Manageengine Desktop Central 10.0.289 Zohocorp Manageengine Desktop Central 10.0.290 Zohocorp Manageengine Desktop Central 10.0.380 Zohocorp Manageengine Desktop Central 10.0.430 Zohocorp Manageengine Desktop Central 10.0.484 Zohocorp Manageengine Desktop Central 10.0.533 Zohocorp Manageengine Desktop Central 10.0.552.W Zohocorp Manageengine Desktop Central 10.0.647	21

Common Weakness Enumeration (CWE)

CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')

References

https://www.manageengine.com/products/desktop-central/xxe-vulnerability.html