CVE-2024-10839 - XML External Entity (XXE) vulnerability in SharePoint Manager Plus

Details

SharePoint Manager Plus was reported to have an XML External Entity (XXE) vulnerability in the Management tab. This has been fixed in build 4504, and its release notes can be found here.

Impact

This vulnerability enables authenticated users with access to the Management tab to read sensitive files stored on the server in which SharePoint Manager Plus is installed and may also lead to denial of service, server side request forgery, and port scanning attacks.

What should I do?

Given the severity of this vulnerability, customers are strongly advised to update SharePoint Manager Plus to the latest build immediately by following the steps mentioned below,

1. Download the latest service pack.
2. Apply the service pack to your existing product installation by following the instructions provided in the above link.

If you have any questions or need assistance updating the product to the latest version, please contact support@sharepointmanagerplus.com.

Acknowledgement

This vulnerability was discovered by Zewei Zhang from NSFOCUS TIANJI Lab via Zoho's Bug Bounty program.