Overview
- Description
- An XXE (XML external entity injection) vulnerability exists in the CSEP component of Ivanti Endpoint Manager before 2022 SU4. External entity references are enabled in the XML parser configuration. Exploitation of this vulnerability can lead to file disclosure or Server Side Request Forgery.
- Source
- cve@mitre.org
- NVD status
- Analyzed
Risk scores
CVSS 3.1
- Type
- Primary
- Base score
- 7.5
- Impact score
- 3.6
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- Severity
- HIGH
Weaknesses
- nvd@nist.gov
- CWE-611
Social media
- Hype score
- Not currently trending
Configurations
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ivanti:endpoint_manager:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "B1F6549B-CF5D-4607-B67D-5489905A1705",
"versionEndExcluding": "2022"
},
{
"criteria": "cpe:2.3:a:ivanti:endpoint_manager:2022:-:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "46580865-5177-4E55-BDAC-73DA4B472B35"
},
{
"criteria": "cpe:2.3:a:ivanti:endpoint_manager:2022:su1:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "E57E12B5-B789-450C-9476-6C4C151E6993"
},
{
"criteria": "cpe:2.3:a:ivanti:endpoint_manager:2022:su2:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "E47C65B3-56DD-4D65-8B4B-6AFFE28E94F2"
},
{
"criteria": "cpe:2.3:a:ivanti:endpoint_manager:2022:su3:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "10D6EAB7-B14B-45E9-92B9-4FADFBBB08AF"
}
],
"operator": "OR"
}
]
}
]