CVSS: 5.3EPSS: 2%CPEs: 2EXPL: 0CVE-2022-25245
https://notcve.org/view.php?id=CVE-2022-25245
05 Apr 2022 — Zoho ManageEngine ServiceDesk Plus before 13001 allows anyone to know the organisation's default currency name. Zoho ManageEngine ServiceDesk Plus versiones anteriores a 13001, permite a cualquiera conocer el nombre de la moneda por defecto de la organización • https://manageengine.com • CWE-306: Missing Authentication for Critical Function •
CVSS: 8.8EPSS: 0%CPEs: 14EXPL: 0CVE-2022-24978
https://notcve.org/view.php?id=CVE-2022-24978
05 Apr 2022 — Zoho ManageEngine ADAudit Plus before 7055 allows authenticated Privilege Escalation on Integrated products. This occurs because a password field is present in a JSON response. Zoho ManageEngine ADAudit Plus versiones anteriores a 7055, permite una escalada de privilegios autenticada en productos integrados. Esto ocurre porque un campo de contraseña está presente en una respuesta JSON • https://manageengine.com • CWE-319: Cleartext Transmission of Sensitive Information CWE-522: Insufficiently Protected Credentials •
CVSS: 6.5EPSS: 0%CPEs: 9EXPL: 0CVE-2022-24447
https://notcve.org/view.php?id=CVE-2022-24447
02 Mar 2022 — An issue was discovered in Zoho ManageEngine Key Manager Plus before 6200. A service exposed by the application allows a user, with the level Operator, to access stored SSL certificates and associated key pairs during export. Se ha detectado un problema en Zoho ManageEngine Key Manager Plus versiones anteriores a 6200. Un servicio expuesto por la aplicación permite a un usuario, con el nivel de Operador, acceder a certificados SSL almacenados y a los pares de claves asociados durante la exportación • https://excellium-services.com/cert-xlm-advisory/cve-2022-24447 •
CVSS: 9.8EPSS: 13%CPEs: 75EXPL: 0CVE-2022-24305
https://notcve.org/view.php?id=CVE-2022-24305
02 Mar 2022 — Zoho ManageEngine SharePoint Manager Plus before 4329 is vulnerable to a sensitive data leak that leads to privilege escalation. Zoho ManageEngine SharePoint Manager Plus versiones anteriores a 4329, es vulnerable a un filtrado de datos confidenciales que conllevan a una escalada de privilegios • https://www.manageengine.com/sharepoint-management-reporting/release-notes.html#4329 •
CVSS: 9.8EPSS: 5%CPEs: 75EXPL: 0CVE-2022-24306
https://notcve.org/view.php?id=CVE-2022-24306
02 Mar 2022 — Zoho ManageEngine SharePoint Manager Plus before 4329 allows account takeover because authorization is mishandled. Zoho ManageEngine SharePoint Manager Plus versiones anteriores a 4329, permite una toma de posesión de la cuenta porque la autorización es manejada inapropiadamente • https://www.manageengine.com/sharepoint-management-reporting/release-notes.html#4329 • CWE-863: Incorrect Authorization •
CVSS: 5.3EPSS: 71%CPEs: 1EXPL: 2CVE-2022-23779
https://notcve.org/view.php?id=CVE-2022-23779
02 Mar 2022 — Zoho ManageEngine Desktop Central before 10.1.2137.8 exposes the installed server name to anyone. The internal hostname can be discovered by reading HTTP redirect responses. Zoho ManageEngine Desktop Central versiones anteriores a 10.1.2137.8, expone el nombre del servidor instalado a cualquiera. El nombre de host interno puede ser detectado al leer las respuestas de redireccionamiento HTTP • https://github.com/fbusr/CVE-2022-23779 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.3EPSS: 2%CPEs: 6EXPL: 0CVE-2022-24446
https://notcve.org/view.php?id=CVE-2022-24446
01 Mar 2022 — An issue was discovered in Zoho ManageEngine Key Manager Plus 6.1.6. A user, with the level Operator, can see all SSH servers (and user information) even if no SSH server or user is associated to the operator. Se ha detectado un problema en Zoho ManageEngine Key Manager Plus versión 6.1.6. Un usuario, con el nivel de Operador, puede visualizar todos los servidores SSH (y la información de los usuarios) incluso si ningún servidor SSH o usuario está asociado al operador. • https://excellium-services.com/cert-xlm-advisory/cve-2022-24446 •
CVSS: 6.5EPSS: 3%CPEs: 1EXPL: 0CVE-2022-23863
https://notcve.org/view.php?id=CVE-2022-23863
28 Jan 2022 — Zoho ManageEngine Desktop Central before 10.1.2137.10 allows an authenticated user to change any user's login password. Zoho ManageEngine Desktop Central versiones anteriores a 10.1.2137.10, permite a un usuario autenticado cambiar la contraseña de acceso de cualquier usuario • https://www.manageengine.com/products/desktop-central/privilege-escalation-vulnerability.html •
CVSS: 4.8EPSS: 21%CPEs: 1EXPL: 1CVE-2021-46065
https://notcve.org/view.php?id=CVE-2021-46065
27 Jan 2022 — A Cross-site scripting (XSS) vulnerability in Secondary Email Field in Zoho ManageEngine ServiceDesk Plus 11.3 Build 11306 allows an attackers to inject arbitrary JavaScript code. Una vulnerabilidad de tipo Cross-site scripting (XSS) en el Campo Secondary Email en Zoho ManageEngine ServiceDesk Plus versión 11.3 Build 11306, permite a atacantes inyectar código JavaScript arbitrario • https://github.com/corrupted-brain/Findings/blob/main/ManageEngine%20XSS.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.1EPSS: 38%CPEs: 2EXPL: 0CVE-2021-44757
https://notcve.org/view.php?id=CVE-2021-44757
18 Jan 2022 — Zoho ManageEngine Desktop Central before 10.1.2137.9 and Desktop Central MSP before 10.1.2137.9 allow attackers to bypass authentication, and read sensitive information or upload an arbitrary ZIP archive to the server. Zoho ManageEngine Desktop Central versiones anteriores a 10.1.2137.9 y Desktop Central MSP versiones anteriores a 10.1.2137.9, permiten a atacantes omitir la autenticación y leer información confidencial o cargar un archivo ZIP arbitrario en el servidor • https://pitstop.manageengine.com/portal/en/community/topic/a-critical-security-patch-released-in-desktop-central-and-desktop-central-msp-for-cve-2021-44757-17-1-2022 •