Free Edition| Vulnerability Details | |
| Severity | High Severity |
| CVE ID | CVE-2023-22624 |
| Affected software versions | Builds 5707 and below |
| Fixed version | Build 5708 |
| Fixed on | 10 January 2023 |
CVE-2023-22624 refers to a vulnerable API reported in ManageEngine Exchange Reporter Plus that was vulnerable to XML external entity injection (XXE) attacks.
We have now released Exchange Reporter Plus, build 5708, that fixes the issue by removing that API.
By sending a specially crafted malformed request under specific circumstances, a remote attacker can cause XXE attacks and read system files, due to the use of this vulnerable API.
Update your Exchange Reporter Plus to 5708 using the service pack.
This issue was reported by KyoDream through the Zoho BugBounty program.
