CVSS: 9.8EPSS: 31%CPEs: 139EXPL: 0CVE-2022-29535
https://notcve.org/view.php?id=CVE-2022-29535
05 May 2022 — Zoho ManageEngine OPManager through 125588 allows SQL Injection via a few default reports. Zoho ManageEngine OPManager versiones hasta 125588, permite una inyección SQL por medio de algunos informes por defecto • https://manageengine.com • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 14%CPEs: 50EXPL: 1CVE-2022-29081
https://notcve.org/view.php?id=CVE-2022-29081
28 Apr 2022 — Zoho ManageEngine Access Manager Plus before 4302, Password Manager Pro before 12007, and PAM360 before 5401 are vulnerable to access-control bypass on a few Rest API URLs (for SSOutAction. SSLAction. LicenseMgr. GetProductDetails. GetDashboard. • https://www.manageengine.com/privileged-session-management/advisory/cve-2022-29081.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.8EPSS: 8%CPEs: 64EXPL: 4CVE-2022-29457 – ManageEngine ADSelfService Plus Build 6118 - NTLMv2 Hash Exposure
https://notcve.org/view.php?id=CVE-2022-29457
18 Apr 2022 — Zoho ManageEngine ADSelfService Plus before 6121, ADAuditPlus 7060, Exchange Reporter Plus 5701, and ADManagerPlus 7131 allow NTLM Hash disclosure during certain storage-path configuration steps. Zoho ManageEngine ADSelfService Plus versiones anteriores a 6121, ADAuditPlus versión 7060, Exchange Reporter Plus versión 5701, y ADManagerPlus versión 7131, permiten una divulgación de NTLM Hash durante determinados pasos de configuración de la ruta de almacenamiento ManageEngine ADSelfService Plus build 6118 suf... • https://packetstorm.news/files/id/167051 • CWE-522: Insufficiently Protected Credentials •
CVSS: 7.1EPSS: 91%CPEs: 24EXPL: 4CVE-2022-28810 – Zoho ManageEngine ADSelfService Plus Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2022-28810
18 Apr 2022 — Zoho ManageEngine ADSelfService Plus before build 6122 allows a remote authenticated administrator to execute arbitrary operating OS commands as SYSTEM via the policy custom script feature. Due to the use of a default administrator password, attackers may be able to abuse this functionality with minimal effort. Additionally, a remote and partially authenticated attacker may be able to inject arbitrary commands into the custom script due to an unsanitized password field. Zoho ManageEngine ADSelfService Plus ... • https://packetstorm.news/files/id/166816 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-798: Use of Hard-coded Credentials •
CVSS: 8.8EPSS: 4%CPEs: 136EXPL: 0CVE-2022-27908
https://notcve.org/view.php?id=CVE-2022-27908
18 Apr 2022 — Zoho ManageEngine OpManager before 125588 (and before 125603) is vulnerable to authenticated SQL Injection in the Inventory Reports module. Zoho ManageEngine OpManager versiones anteriores a 125588 (y antes de 125603) es vulnerable a una inyección SQL autenticada en el módulo de informes de inventario • https://www.manageengine.com/network-monitoring/security-updates/cve-2022-27908.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.3EPSS: 2%CPEs: 1EXPL: 1CVE-2022-26653
https://notcve.org/view.php?id=CVE-2022-26653
16 Apr 2022 — Zoho ManageEngine Remote Access Plus before 10.1.2137.15 allows guest users to view domain details (such as the username and GUID of an administrator). Zoho ManageEngine Remote Access Plus versiones anteriores a 10.1.2137.15, permite a usuarios invitados visualizar los detalles del dominio (como el nombre de usuario y el GUID de un administrador) • https://raxis.com/blog/cve-2022-26653-and-cve-2022-26777 • CWE-425: Direct Request ('Forced Browsing') •
CVSS: 5.3EPSS: 2%CPEs: 1EXPL: 1CVE-2022-26777
https://notcve.org/view.php?id=CVE-2022-26777
16 Apr 2022 — Zoho ManageEngine Remote Access Plus before 10.1.2137.15 allows guest users to view license details. Zoho ManageEngine Remote Access Plus versiones anteriores a 10.1.2137.15, permite a usuarios invitados visualizar los detalles de la licencia • https://raxis.com/blog/cve-2022-26653-and-cve-2022-26777 • CWE-425: Direct Request ('Forced Browsing') •
CVSS: 6.1EPSS: 20%CPEs: 23EXPL: 1CVE-2022-24681
https://notcve.org/view.php?id=CVE-2022-24681
07 Apr 2022 — Zoho ManageEngine ADSelfService Plus before 6121 allows XSS via the welcome name attribute to the Reset Password, Unlock Account, or User Must Change Password screen. Zoho ManageEngine ADSelfService Plus versiones anteriores a 6121, permite un ataque de tipo XSS por medio del atributo welcome name en la pantalla Reset Password, Unlock Account, o User Must Change Password • https://manageengine.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 94%CPEs: 14EXPL: 6CVE-2022-28219 – ManageEngine ADAudit Plus Path Traversal / XML Injection
https://notcve.org/view.php?id=CVE-2022-28219
05 Apr 2022 — Cewolf in Zoho ManageEngine ADAudit Plus before 7060 is vulnerable to an unauthenticated XXE attack that leads to Remote Code Execution. Cewolf en Zoho ManageEngine ADAudit Plus antes de 7060 es vulnerable a un ataque XXE no autenticado que conduce a la ejecución remota de código • https://packetstorm.news/files/id/167997 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 5.4EPSS: 4%CPEs: 22EXPL: 1CVE-2022-25373
https://notcve.org/view.php?id=CVE-2022-25373
05 Apr 2022 — Zoho ManageEngine SupportCenter Plus before 11020 allows Stored XSS in the request history. Zoho ManageEngine SupportCenter Plus versiones anteriores a 11020, permite el almacenamiento de tipo XSS en el historial de peticiones • https://manageengine.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •