CVSS: 9.0EPSS: 8%CPEs: 15EXPL: 0CVE-2024-0269 – SQL Injection
https://notcve.org/view.php?id=CVE-2024-0269
02 Feb 2024 — ManageEngine ADAudit Plus versions 7270 and below are vulnerable to the Authenticated SQL injection in File-Summary DrillDown. This issue has been fixed and released in version 7271. Las versiones 7270 e inferiores de ManageEngine ADAudit Plus son vulnerables a la inyección de SQL autenticado en File-Summary DrillDown. Este problema se solucionó y se publicó en la versión 7271. ManageEngine ADAudit Plus versions 7270 and below are vulnerable to the Authenticated SQL injection in File-Summary DrillDown. • https://www.manageengine.com/products/active-directory-audit/sqlfix-7271.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.0EPSS: 8%CPEs: 15EXPL: 0CVE-2024-0253 – SQL Injection
https://notcve.org/view.php?id=CVE-2024-0253
02 Feb 2024 — ManageEngine ADAudit Plus versions 7270 and below are vulnerable to the Authenticated SQL injection in home Graph-Data. Las versiones 7270 e inferiores de ManageEngine ADAudit Plus son vulnerables a la inyección de SQL autenticado en Graph-Data doméstico. ManageEngine ADAudit Plus versions 7270 and below are vulnerable to the Authenticated SQL injection in home Graph-Data. • https://www.manageengine.com/products/active-directory-audit/sqlfix-7271.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 62%CPEs: 11EXPL: 0CVE-2023-48792
https://notcve.org/view.php?id=CVE-2023-48792
02 Feb 2024 — Zoho ManageEngine ADAudit Plus through 7250 is vulnerable to SQL Injection in the report export option. Zoho ManageEngine ADAudit Plus hasta 7250 es vulnerable a la inyección SQL en la opción de exportación de informes. • https://manageengine.com • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 62%CPEs: 15EXPL: 0CVE-2023-48793
https://notcve.org/view.php?id=CVE-2023-48793
02 Feb 2024 — Zoho ManageEngine ADAudit Plus through 7250 allows SQL Injection in the aggregate report feature. Zoho ManageEngine ADAudit Plus hasta 7250 permite la inyección SQL en la función de informe agregado. • https://manageengine.com • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 3.3EPSS: 11%CPEs: 13EXPL: 0CVE-2023-50785
https://notcve.org/view.php?id=CVE-2023-50785
25 Jan 2024 — Zoho ManageEngine ADAudit Plus before 7270 allows admin users to view names of arbitrary directories via path traversal. Zoho ManageEngine ADAudit Plus anterior a 7270 permite a los usuarios administradores ver nombres de directorios arbitrarios mediante path traversal. • https://www.manageengine.com/products/active-directory-audit/cve-2023-50785.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.5EPSS: 7%CPEs: 5EXPL: 0CVE-2023-49943
https://notcve.org/view.php?id=CVE-2023-49943
18 Jan 2024 — Zoho ManageEngine ServiceDesk Plus MSP before 14504 allows stored XSS (by a low-privileged technician) via a task's name in a time sheet. Zoho ManageEngine ServiceDesk Plus MSP anterior a 14504 permite almacenar XSS (por parte de un técnico con pocos privilegios) a través del nombre de una tarea en una hoja de horas. • https://manageengine.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 19%CPEs: 3EXPL: 0CVE-2024-0252 – Remote code execution
https://notcve.org/view.php?id=CVE-2024-0252
11 Jan 2024 — ManageEngine ADSelfService Plus versions 6401 and below are vulnerable to the remote code execution due to the improper handling in the load balancer component. Authentication is required in order to exploit this vulnerability. Las versiones 6401 e inferiores de ManageEngine ADSelfService Plus son vulnerables a la ejecución remota de código debido al manejo inadecuado en el componente del balanceador de carga. ManageEngine ADSelfService Plus versions 6401 and below are vulnerable to the remote code executio... • https://www.manageengine.com/products/self-service-password/advisory/CVE-2024-0252.html • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.1EPSS: 38%CPEs: 97EXPL: 1CVE-2023-47211
https://notcve.org/view.php?id=CVE-2023-47211
08 Jan 2024 — A directory traversal vulnerability exists in the uploadMib functionality of ManageEngine OpManager 12.7.258. A specially crafted HTTP request can lead to arbitrary file creation. An attacker can send a malicious MiB file to trigger this vulnerability. Existe una vulnerabilidad de directory traversal en la funcionalidad uploadMib de ManageEngine OpManager 12.7.258. Una solicitud HTTP especialmente manipulada puede dar lugar a la creación de archivos arbitrarios. • https://talosintelligence.com/vulnerability_reports/TALOS-2023-1851 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-50891 – WordPress Zoho Forms Plugin <= 3.0.1 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-50891
26 Dec 2023 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Zoho Forms Form plugin for WordPress – Zoho Forms allows Stored XSS.This issue affects Form plugin for WordPress – Zoho Forms: from n/a through 3.0.1. La vulnerabilidad de neutralización incorrecta de la entrada durante la generación de páginas web ('cross-site Scripting') en el complemento de formulario Zoho Forms Form plugin for WordPress – Zoho Forms permite XSS almacenado. Este problema afecta a Form pl... • https://patchstack.com/database/vulnerability/zoho-forms/wordpress-zoho-forms-plugin-3-0-1-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.3EPSS: 30%CPEs: 29EXPL: 0CVE-2023-48646 – ManageEngine Recovery Manager Plus getEscapedValue Command Injection Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2023-48646
22 Nov 2023 — Zoho ManageEngine RecoveryManager Plus before 6070 allows admin users to execute arbitrary commands via proxy settings. Zoho ManageEngine RecoveryManager Plus anterior a 6070 permite a los usuarios administradores ejecutar comandos arbitrarios a través de configuraciones de proxy. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ManageEngine Recovery Manager Plus. Authentication is required to exploit this vulnerability. The specific flaw exists within the ge... • https://www.manageengine.com/ad-recovery-manager/advisory/CVE-2023-48646.html •