CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 1CVE-2021-28382
https://notcve.org/view.php?id=CVE-2021-28382
Zoho ManageEngine Key Manager Plus before 6001 allows Stored XSS on the user-management page while importing malicious user details from AD. Zoho ManageEngine Key Manager Plus versiones anteriores a 6001, permite ataques de tipo XSS almacenado en la página user-management al importar detalles de usuarios maliciosos desde el AD • https://raxis.com/blog/cve-2021-28382 https://www.manageengine.com/key-manager/release-notes.html#6001 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 1CVE-2021-27956
https://notcve.org/view.php?id=CVE-2021-27956
Zoho ManageEngine ADSelfService Plus before 6104 allows stored XSS on the /webclient/index.html#/directory-search user search page via the e-mail address field. Zoho ManageEngine ADSelfService Plus versiones anteriores a 6104, permite un ataque de tipo XSS almacenado en la página de búsqueda de usuarios /webclient/index.html#/directory-search por medio del campo e-mail address • https://pitstop.manageengine.com/portal/en/community/topic/adselfservice-plus-6104-released-with-an-important-security-fixes https://raxis.com/blog/cve-2021-27956-manage-engine-xss https://www.manageengine.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 5EXPL: 0CVE-2021-28959
https://notcve.org/view.php?id=CVE-2021-28959
Zoho ManageEngine Eventlog Analyzer through 12147 is vulnerable to unauthenticated directory traversal via an entry in a ZIP archive. This leads to remote code execution. Zoho ManageEngine Eventlog Analyzer versiones hasta 12147, es vulnerable al salto de directorio no autenticado por medio de una entrada en un archivo ZIP. Esto conlleva a una ejecución de código remota. • https://www.manageengine.com https://www.manageengine.com/products/eventlog/features-new.html#release • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 43%CPEs: 66EXPL: 1CVE-2021-3287 – ManageEngine OpManager SumPDU Java Deserialization
https://notcve.org/view.php?id=CVE-2021-3287
Zoho ManageEngine OpManager before 12.5.329 allows unauthenticated Remote Code Execution due to a general bypass in the deserialization class. Zoho ManageEngine OpManager versiones anteriores a 12.5.329, permite una ejecución de código remota no autenticada debido a una omisión general en la clase de deserialización An HTTP endpoint used by the Manage Engine OpManager Smart Update Manager component can be leveraged to deserialize an arbitrary Java object. This can be abused by an unauthenticated remote attacker to execute OS commands in the context of the OpManager application. This vulnerability is also present in other products that are built on top of the OpManager application. This vulnerability affects OpManager versions 12.1 through 12.5.328. • http://packetstormsecurity.com/files/164231/ManageEngine-OpManager-SumPDU-Java-Deserialization.html https://www.manageengine.com/network-monitoring/help/read-me-complete.html#125329 • CWE-502: Deserialization of Untrusted Data •
CVSS: 6.1EPSS: 3%CPEs: 276EXPL: 1CVE-2021-20080
https://notcve.org/view.php?id=CVE-2021-20080
Insufficient output sanitization in ManageEngine ServiceDesk Plus before version 11200 and ManageEngine AssetExplorer before version 6800 allows a remote, unauthenticated attacker to conduct persistent cross-site scripting (XSS) attacks by uploading a crafted XML asset file. Un saneamiento de salida insuficiente en ManageEngine ServiceDesk Plus versiones anteriores a 11200 y ManageEngine AssetExplorer versiones anteriores a 6800, permite a un atacante remoto no autenticado conducir ataques de tipo cross-site scripting (XSS) persistente al cargar un archivo de activos XML diseñado • https://www.tenable.com/security/research/tra-2021-11 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •