CVSS: 8.8EPSS: 57%CPEs: 7EXPL: 0CVE-2023-38333 – ManageEngine Applications Manager SingleSignOn Cross-Site Scripting Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2023-38333
10 Aug 2023 — Zoho ManageEngine Applications Manager through 16530 allows reflected XSS while logged in. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ManageEngine Applications Manager. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the SingleSignOn page. The issue results from the lack of proper validation of user-supplied data, which can lead to the inj... • https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2023-38333.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 57%CPEs: 12EXPL: 0CVE-2023-29442
https://notcve.org/view.php?id=CVE-2023-29442
26 Apr 2023 — Zoho ManageEngine Applications Manager before 16400 allows proxy.html DOM XSS. • https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2023-29442.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.7EPSS: 6%CPEs: 4EXPL: 0CVE-2023-28340
https://notcve.org/view.php?id=CVE-2023-28340
11 Apr 2023 — Zoho ManageEngine Applications Manager through 16320 allows the admin user to conduct an XXE attack. • https://manageengine.com • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 5.4EPSS: 29%CPEs: 5EXPL: 1CVE-2021-31813
https://notcve.org/view.php?id=CVE-2021-31813
01 Jul 2021 — Zoho ManageEngine Applications Manager before 15130 is vulnerable to Stored XSS while importing malicious user details (e.g., a crafted user name) from AD. Zoho ManageEngine Applications Manager versiones anteriores a 15130, es vulnerable a un ataque de tipo XSS Almacenado al importar detalles de usuarios maliciosos (por ejemplo, un nombre de usuario diseñado) desde AD • https://raxis.com/blog/cve-2021-31813 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 1%CPEs: 6EXPL: 1CVE-2020-35765
https://notcve.org/view.php?id=CVE-2020-35765
05 Feb 2021 — doFilter in com.adventnet.appmanager.filter.UriCollector in Zoho ManageEngine Applications Manager through 14930 allows an authenticated SQL Injection via the resourceid parameter to showresource.do. doFilter en com.adventnet.appmanager.filter.UriCollector en Zoho ManageEngine Applications Manager versiones hasta 14930, permite una inyección SQL autenticada por medio del parámetro resourceid en showresource.do • https://www.manageengine.com • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •