Vulnerability Details | |
Severity | High |
CVE ID | CVE-2024-10839 |
Affected software versions | Build 4503 and below |
Fixed version | Build 4504 |
Fixed on | November 08, 2024 |
SharePoint Manager Plus was reported to have an XML External Entity (XXE) vulnerability in the Management tab. This has been fixed in build 4504, and its release notes can be found here.
This vulnerability enables authenticated users with access to the Management tab to read sensitive files stored on the server in which SharePoint Manager Plus is installed and may also lead to denial of service, server side request forgery, and port scanning attacks.
Given the severity of this vulnerability, customers are strongly advised to update SharePoint Manager Plus to the latest build immediately by following the steps mentioned below,
If you have any questions or need assistance updating the product to the latest version, please contact support@sharepointmanagerplus.com.
This vulnerability was discovered by Zewei Zhang from NSFOCUS TIANJI Lab via Zoho's Bug Bounty program.