CVSS: 9.8EPSS: 9%CPEs: 139EXPL: 0CVE-2022-29535
https://notcve.org/view.php?id=CVE-2022-29535
Zoho ManageEngine OPManager through 125588 allows SQL Injection via a few default reports. Zoho ManageEngine OPManager versiones hasta 125588, permite una inyección SQL por medio de algunos informes por defecto • https://manageengine.com https://www.manageengine.com/network-monitoring/security-updates/cve-2022-29535.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 59%CPEs: 50EXPL: 1CVE-2022-29081
https://notcve.org/view.php?id=CVE-2022-29081
Zoho ManageEngine Access Manager Plus before 4302, Password Manager Pro before 12007, and PAM360 before 5401 are vulnerable to access-control bypass on a few Rest API URLs (for SSOutAction. SSLAction. LicenseMgr. GetProductDetails. GetDashboard. • https://www.manageengine.com/privileged-session-management/advisory/cve-2022-29081.html https://www.tenable.com/security/research/tra-2022-14 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.8EPSS: 1%CPEs: 64EXPL: 3CVE-2022-29457 – ManageEngine ADSelfService Plus Build 6118 - NTLMv2 Hash Exposure
https://notcve.org/view.php?id=CVE-2022-29457
Zoho ManageEngine ADSelfService Plus before 6121, ADAuditPlus 7060, Exchange Reporter Plus 5701, and ADManagerPlus 7131 allow NTLM Hash disclosure during certain storage-path configuration steps. Zoho ManageEngine ADSelfService Plus versiones anteriores a 6121, ADAuditPlus versión 7060, Exchange Reporter Plus versión 5701, y ADManagerPlus versión 7131, permiten una divulgación de NTLM Hash durante determinados pasos de configuración de la ruta de almacenamiento ManageEngine ADSelfService Plus build 6118 suffers from an NTLMv2 hash exposure vulnerability. • https://www.exploit-db.com/exploits/50904 http://packetstormsecurity.com/files/167051/ManageEngine-ADSelfService-Plus-Build-6118-NTLMv2-Hash-Exposure.html https://docs.unsafe-inline.com/0day/multiple-manageengine-applications-critical-information-disclosure-vulnerability https://www.manageengine.com/products/self-service-password/release-notes.html • CWE-522: Insufficiently Protected Credentials •
CVSS: 7.1EPSS: 93%CPEs: 24EXPL: 3CVE-2022-28810 – Zoho ManageEngine ADSelfService Plus Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2022-28810
Zoho ManageEngine ADSelfService Plus before build 6122 allows a remote authenticated administrator to execute arbitrary operating OS commands as SYSTEM via the policy custom script feature. Due to the use of a default administrator password, attackers may be able to abuse this functionality with minimal effort. Additionally, a remote and partially authenticated attacker may be able to inject arbitrary commands into the custom script due to an unsanitized password field. Zoho ManageEngine ADSelfService Plus antes de la compilación 6122 permite a un administrador remoto autenticado ejecutar comandos arbitrarios del sistema operativo como SYSTEM a través de la función de script personalizado de la política. Debido al uso de una contraseña de administrador por defecto, los atacantes pueden ser capaces de abusar de esta funcionalidad con un esfuerzo mínimo. • http://packetstormsecurity.com/files/166816/ManageEngine-ADSelfService-Plus-Custom-Script-Execution.html https://github.com/rapid7/metasploit-framework/pull/16475 https://www.manageengine.com/products/self-service-password/kb/cve-2022-28810.html https://www.rapid7.com/blog/post/2022/04/14/cve-2022-28810-manageengine-adselfservice-plus-authenticated-command-execution-fixed • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-798: Use of Hard-coded Credentials •
CVSS: 8.8EPSS: 0%CPEs: 136EXPL: 0CVE-2022-27908
https://notcve.org/view.php?id=CVE-2022-27908
Zoho ManageEngine OpManager before 125588 (and before 125603) is vulnerable to authenticated SQL Injection in the Inventory Reports module. Zoho ManageEngine OpManager versiones anteriores a 125588 (y antes de 125603) es vulnerable a una inyección SQL autenticada en el módulo de informes de inventario • https://www.manageengine.com/network-monitoring/security-updates/cve-2022-27908.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •