CVE-2022-36923 – ManageEngine OpManager Plus getUserAPIKey Authentication Bypass Vulnerability
https://notcve.org/view.php?id=CVE-2022-36923
Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, Firewall Analyzer, and OpUtils before 2022-07-27 through 2022-07-28 (125657, 126002, 126104, and 126118) allow unauthenticated attackers to obtain a user's API key, and then access external APIs. Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, Firewall Analyzer y OpUtils versiones anteriores a 27-07-2022 hasta 28-07-2022 (125657, 126002, 126104 y 126118) permiten a atacantes no autenticados obtener la clave API de un usuario y luego acceder a APIs externas This vulnerability allows remote attackers to bypass authentication on affected installations of ManageEngine OpManager Plus. Authentication is not required to exploit this vulnerability. The specific flaw exists within the getUserAPIKey function. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to bypass authentication on the system. • https://www.manageengine.com/itom/advisory/cve-2022-36923.html • CWE-755: Improper Handling of Exceptional Conditions •
CVE-2022-37024 – ManageEngine OpManager Plus getDNSResolveOption Command Injection Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2022-37024
Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, and OpUtils before 2022-07-29 through 2022-07-30 ( 125658, 126003, 126105, and 126120) allow authenticated users to make database changes that lead to remote code execution. Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer y OpUtils versiones anteriores a 29-07-2022 hasta 30-07-2022 ( 125658, 126003, 126105 y 126120) permiten a usuarios autenticados realizar cambios en la base de datos que conllevan a una ejecución de código remota This vulnerability allows remote attackers to execute arbitrary code on affected installations of ManageEngine OpManager Plus. Authentication is required to exploit this vulnerability. The specific flaw exists within the getDNSResolveOption function. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. • https://www.manageengine.com/itom/advisory/cve-2022-37024.html •
CVE-2022-36412
https://notcve.org/view.php?id=CVE-2022-36412
In Zoho ManageEngine SupportCenter Plus before 11023, V3 API requests are vulnerable to authentication bypass. (An API request may, in effect, be executed with the credentials of a user who authenticated in the past.) En Zoho ManageEngine SupportCenter Plus versiones anteriores a 11023, las peticiones de la API versión V3 son vulnerables a una omisión de la autenticación. (Una petición API puede, en efecto, ser ejecutada con las credenciales de un usuario que fue autenticado en el pasado). • https://www.manageengine.com/products/support-center/cve-2022-36412.html • CWE-287: Improper Authentication •
CVE-2022-35405 – Zoho ManageEngine Multiple Products Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2022-35405
Zoho ManageEngine Password Manager Pro before 12101 and PAM360 before 5510 are vulnerable to unauthenticated remote code execution. (This also affects ManageEngine Access Manager Plus before 4303 with authentication.) Zoho ManageEngine Password Manager Pro versiones anteriores a 12101 y PAM360 versiones anteriores a 5510, son vulnerables a una ejecución de código remota sin autenticación. (Esto también afecta a ManageEngine Access Manager Plus versiones anteriores a 4303 con autenticación). Zoho ManageEngine PAM360, Password Manager Pro, and Access Manager Plus contain an unspecified vulnerability that allows for remote code execution. • https://github.com/viniciuspereiras/CVE-2022-35405 http://packetstormsecurity.com/files/167918/Zoho-Password-Manager-Pro-XML-RPC-Java-Deserialization.html https://www.manageengine.com/products/passwordmanagerpro/advisory/cve-2022-35405.html https://xz.aliyun.com/t/11578 https://archives2.manageengine.com/passwordmanagerpro/12101/ManageEngine_PasswordManager_Pro_12100_to_12101.ppm • CWE-502: Deserialization of Untrusted Data •
CVE-2022-35404
https://notcve.org/view.php?id=CVE-2022-35404
ManageEngine Password Manager Pro 12100 and prior and OPManager 126100 and prior are vulnerable to unauthorized file and directory creation on a server machine. ManageEngine Password Manager Pro versiones 12100 y anteriores y OPManager versiones 126100 y anteriores son vulnerables a una creación no autorizada de archivos y directorios en un equipo servidor • https://manageengine.com https://www.manageengine.com/itom/advisory/cve-2022-35404.html • CWE-20: Improper Input Validation •