CVSS: 5.5EPSS: 0%CPEs: 788EXPL: 1CVE-2023-6105 – ManageEngine Information Disclosure in Multiple Products
https://notcve.org/view.php?id=CVE-2023-6105
15 Nov 2023 — An information disclosure vulnerability exists in multiple ManageEngine products that can result in encryption keys being exposed. A low-privileged OS user with access to the host where an affected ManageEngine product is installed can view and use the exposed key to decrypt product database passwords. This allows the user to access the ManageEngine product database. Existe una vulnerabilidad de divulgación de información en varios productos ManageEngine que puede provocar la exposición de claves de cifrado... • https://www.manageengine.com/security/advisory/CVE/CVE-2023-6105.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.1EPSS: 2%CPEs: 235EXPL: 0CVE-2023-35785
https://notcve.org/view.php?id=CVE-2023-35785
28 Aug 2023 — Zoho ManageEngine Active Directory 360 versions 4315 and below, ADAudit Plus 7202 and below, ADManager Plus 7200 and below, Asset Explorer 6993 and below and 7xxx 7002 and below, Cloud Security Plus 4161 and below, Data Security Plus 6110 and below, Eventlog Analyzer 12301 and below, Exchange Reporter Plus 5709 and below, Log360 5315 and below, Log360 UEBA 4045 and below, M365 Manager Plus 4529 and below, M365 Security Plus 4529 and below, Recovery Manager Plus 6061 and below, ServiceDesk Plus 14204 and bel... • https://manageengine.com • CWE-287: Improper Authentication •
CVSS: 5.5EPSS: 0%CPEs: 10EXPL: 0CVE-2023-34197
https://notcve.org/view.php?id=CVE-2023-34197
07 Jul 2023 — Zoho ManageEngine ServiceDesk Plus before 14202, ServiceDesk Plus MSP before 14300, and SupportCenter Plus before 14300 have a privilege escalation vulnerability in the Release module that allows unprivileged users to access the Reminders of a release ticket and make modifications. • https://www.manageengine.com/products/service-desk/CVE-2023-34197.html • CWE-863: Incorrect Authorization •
CVSS: 6.1EPSS: 0%CPEs: 22EXPL: 0CVE-2023-29443
https://notcve.org/view.php?id=CVE-2023-29443
26 Apr 2023 — Zoho ManageEngine ServiceDesk Plus before 14105, ServiceDesk Plus MSP before 14200, SupportCenter Plus before 14200, and AssetExplorer before 6989 allow SDAdmin attackers to conduct XXE attacks via a crafted server that sends malformed XML from a Reports integration API endpoint. • https://www.manageengine.com/products/service-desk/CVE-2023-29443.html • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 7.8EPSS: 0%CPEs: 48EXPL: 0CVE-2023-26601 – ManageEngine ServiceDesk Plus ImageUploadServlet Improper Input Validation Denial-of-Service Vulnerability
https://notcve.org/view.php?id=CVE-2023-26601
06 Mar 2023 — Zoho ManageEngine ServiceDesk Plus through 14104, Asset Explorer through 6987, ServiceDesk Plus MSP before 14000, and Support Center Plus before 14000 allow Denial-of-Service (DoS). This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of ManageEngine ServiceDesk Plus. Authentication is required to exploit this vulnerability. The specific flaw exists within the ImageUploadServlet. The issue results from the lack of proper input validation. An attacker c... • https://manageengine.com • CWE-400: Uncontrolled Resource Consumption •
CVSS: 8.8EPSS: 0%CPEs: 80EXPL: 0CVE-2023-26600 – ManageEngine ServiceDesk Plus MSP generateSQLReport Improper Input Validation Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2023-26600
06 Mar 2023 — ManageEngine ServiceDesk Plus through 14104, ServiceDesk Plus MSP through 14000, Support Center Plus through 14000, and Asset Explorer through 6987 allow privilege escalation via query reports. This vulnerability allows remote attackers to escalate privileges on affected installations of ManageEngine ServiceDesk Plus MSP. Authentication is required to exploit this vulnerability. The specific flaw exists within the generateSQLReport function. The issue results from the lack of proper validation of user-suppl... • https://manageengine.com •
CVSS: 6.4EPSS: 0%CPEs: 8EXPL: 0CVE-2023-23073
https://notcve.org/view.php?id=CVE-2023-23073
01 Feb 2023 — Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via PO in the purchase component. • https://bugbounty.zohocorp.com/bb/#/bug/101000006459171?tab=originator • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 14EXPL: 0CVE-2023-23077
https://notcve.org/view.php?id=CVE-2023-23077
01 Feb 2023 — Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 13 via the comment field when adding a new status comment. • https://bugbounty.zohocorp.com/bb/#/bug/101000006387693?tab=originator • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 8EXPL: 0CVE-2023-23074
https://notcve.org/view.php?id=CVE-2023-23074
01 Feb 2023 — Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via embedding videos in the language component. • https://bugbounty.zohocorp.com/bb/#/bug/101000006459195?tab=originator • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 8EXPL: 0CVE-2023-23078
https://notcve.org/view.php?id=CVE-2023-23078
01 Feb 2023 — Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via the comment field when changing the credentials in the Assets. • https://bugbounty.zohocorp.com/bb/#/bug/101000006458675?tab=originator • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •