CVE-2022-37024 – ManageEngine OpManager Plus getDNSResolveOption Command Injection Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2022-37024
Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, and OpUtils before 2022-07-29 through 2022-07-30 ( 125658, 126003, 126105, and 126120) allow authenticated users to make database changes that lead to remote code execution. Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer y OpUtils versiones anteriores a 29-07-2022 hasta 30-07-2022 ( 125658, 126003, 126105 y 126120) permiten a usuarios autenticados realizar cambios en la base de datos que conllevan a una ejecución de código remota This vulnerability allows remote attackers to execute arbitrary code on affected installations of ManageEngine OpManager Plus. Authentication is required to exploit this vulnerability. The specific flaw exists within the getDNSResolveOption function. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. • https://www.manageengine.com/itom/advisory/cve-2022-37024.html •
CVE-2022-35404
https://notcve.org/view.php?id=CVE-2022-35404
ManageEngine Password Manager Pro 12100 and prior and OPManager 126100 and prior are vulnerable to unauthorized file and directory creation on a server machine. ManageEngine Password Manager Pro versiones 12100 y anteriores y OPManager versiones 126100 y anteriores son vulnerables a una creación no autorizada de archivos y directorios en un equipo servidor • https://manageengine.com https://www.manageengine.com/itom/advisory/cve-2022-35404.html • CWE-20: Improper Input Validation •
CVE-2021-43319
https://notcve.org/view.php?id=CVE-2021-43319
Zoho ManageEngine Network Configuration Manager before 125488 is vulnerable to command injection due to improper validation in the Ping functionality. Zoho ManageEngine Network Configuration Manager versiones anteriores a 125488, es vulnerable a una inyección de comandos debido a que la comprobación de la funcionalidad Ping no es apropiada • https://manageengine.com https://www.manageengine.com/network-configuration-manager/release-notes.html#125488 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVE-2021-41081
https://notcve.org/view.php?id=CVE-2021-41081
Zoho ManageEngine Network Configuration Manager before 125465 is vulnerable to SQL Injection in a configuration search. Zoho ManageEngine Network Configuration Manager versiones anteriores a 125465, es vulnerable a una inyección de SQL en una búsqueda de configuración • https://github.com/sudaiv/CVE-2021-41081 https://www.manageengine.com/network-configuration-manager/security-updates/cve-2021-41081.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2021-41080
https://notcve.org/view.php?id=CVE-2021-41080
Zoho ManageEngine Network Configuration Manager before 125465 is vulnerable to SQL Injection in a hardware details search. Zoho ManageEngine Network Configuration Manager versiones anteriores a 125465, es vulnerable a una inyección de SQL en una búsqueda de detalles de hardware • https://www.manageengine.com/network-configuration-manager/security-updates/cve-2021-41080.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •