CVE-2022-41978 – WordPress Zoho CRM Lead Magnet plugin <= 1.7.5.8 - Auth. Arbitrary Options Update vulnerability
https://notcve.org/view.php?id=CVE-2022-41978
Auth. (subscriber+) Arbitrary Options Update vulnerability in Zoho CRM Lead Magnet plugin <= 1.7.5.8 on WordPress. Vulnerabilidad de actualización de opciones arbitrarias autenticada (con permisos de suscriptor o superiores) en el complemento Zoho CRM Lead Magnet en versiones <= 1.7.5.8. en WordPress The Zoho CRM Lead Magnet plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on one of its functions in versions up to, and including, 1.7.5.8. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to update arbitrary options that can used to enable user registration and create administrative user accounts. • https://patchstack.com/database/vulnerability/zoho-crm-forms/wordpress-zoho-crm-lead-magnet-plugin-1-7-5-6-auth-arbitrary-options-update-vulnerability?_s_id=cve https://wordpress.org/plugins/zoho-crm-forms/#developers • CWE-264: Permissions, Privileges, and Access Controls CWE-862: Missing Authorization •
CVE-2022-40300
https://notcve.org/view.php?id=CVE-2022-40300
Zoho ManageEngine Password Manager Pro through 12120 before 12121, PAM360 through 5550 before 5600, and Access Manager Plus through 4304 before 4305 have multiple SQL injection vulnerabilities. Zoho ManageEngine Password Manager Pro versiones hasta 12120 anteriores a 12121, PAM360 versiones hasta 5550 anteriores a 5600, y Access Manager Plus versiones hasta 4304 anteriores a 4305, presentan múltiples vulnerabilidades de inyección SQL • https://www.manageengine.com/products/passwordmanagerpro/advisory/cve-2022-40300.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2022-38772 – ManageEngine OpManager getNmapInitialOption Command Injection Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2022-38772
Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, and OpUtils before 125658, 126003, 126105, and 126120 allow authenticated users to make database changes that lead to remote code execution in the NMAP feature. Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer y OpUtils versiones anteriores a 125658, 126003, 126105 y 126120, permiten a usuarios autenticados realizar cambios en la base de datos que conllevan a una ejecución de código remota en la función NMAP This vulnerability allows remote attackers to execute arbitrary code on affected installations of ManageEngine OpManager. Authentication is required to exploit this vulnerability. The specific flaw exists within the getNmapInitialOption function. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. • https://manageengine.com https://www.manageengine.com/itom/advisory/cve-2022-38772.html •
CVE-2020-21641
https://notcve.org/view.php?id=CVE-2020-21641
Out-of-Band XML External Entity (OOB-XXE) vulnerability in Zoho ManageEngine Analytics Plus before 4.3.5 allows remote attackers to read arbitrary files, enumerate folders and scan internal ports via crafted XML license file. Una vulnerabilidad de tipo Out-of-Band XML External Entity (OOB-XXE) en Zoho ManageEngine Analytics Plus versiones anteriores a 4.3.5, permite a atacantes remotos leer archivos arbitrarios, enumerar carpetas y escanear puertos internos por medio de un archivo de licencia XML diseñado. • https://www.manageengine.com/analytics-plus/release-notes.html • CWE-611: Improper Restriction of XML External Entity Reference •
CVE-2020-21642
https://notcve.org/view.php?id=CVE-2020-21642
Directory Traversal vulnerability ZDBQAREFSUBDIR parameter in /zropusermgmt API in Zoho ManageEngine Analytics Plus before 4350 allows remote attackers to run arbitrary code. Una vulnerabilidad de Salto de Directorio en el parámetro ZDBQAREFSUBDIR en la API /zropusermgmt en Zoho ManageEngine Analytics Plus versiones anteriores a 4350, permite a atacantes remotos ejecutar código arbitrario. • https://www.manageengine.com/analytics-plus/release-notes.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •