CVE-2022-43473

Summary

A blind XML External Entity (XXE) vulnerability exists in the Add UCS Device functionality of ManageEngine OpManager 12.6.168. A specially crafted XML file can lead to SSRF. An attacker can serve a malicious XML payload to trigger this vulnerability.

Affected Software

VendorProductVersion RangeStatus
ManageEngineOpManager12.6.168affected

Weaknesses

  • CWE-611: CWE-611: Improper Restriction of XML External Entity Reference ('XXE')

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

References