CVSS: 8.8EPSS: 0%CPEs: 7EXPL: 0CVE-2023-38333 – ManageEngine Applications Manager SingleSignOn Cross-Site Scripting Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2023-38333
Zoho ManageEngine Applications Manager through 16530 allows reflected XSS while logged in. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ManageEngine Applications Manager. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the SingleSignOn page. The issue results from the lack of proper validation of user-supplied data, which can lead to the injection of an arbitrary script. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. • https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2023-38333.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 1%CPEs: 2EXPL: 1CVE-2023-32783
https://notcve.org/view.php?id=CVE-2023-32783
The event analysis component in Zoho ManageEngine ADAudit Plus 7.1.1 allows an attacker to bypass audit detection by creating or renaming user accounts with a "$" symbol suffix. NOTE: the vendor states "We do not consider this as a security bug and it's an expected behaviour." • https://www.peteslade.com/post/manageengine-adauditplus-cve-2023-32783 • CWE-863: Incorrect Authorization •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2023-38332
https://notcve.org/view.php?id=CVE-2023-38332
Zoho ManageEngine ADManager Plus through 7201 allow authenticated users to take over another user's account via sensitive information disclosure. ADManager Plus de ManageEngine de Zoho a través de 7201 permiten a los usuarios autenticados hacerse cargo de la cuenta de otro usuario a través de la divulgación de información sensible. • https://manageengine.com https://www.manageengine.com/products/ad-manager/admanager-kb/cve-2023-38332.html •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-29505
https://notcve.org/view.php?id=CVE-2023-29505
An issue was discovered in Zoho ManageEngine Network Configuration Manager 12.6.165. The WebSocket endpoint allows Cross-site WebSocket hijacking. Se ha descubierto un problema en Network Configuration Manager 12.6.165 de ManageEngine de Zoho. El WebSocket endpoint permite Cross-site WebSocket hijacking. • https://excellium-services.com/cert-xlm-advisory/CVE-2023-29505 https://www.manageengine.com/itom/advisory/cve-2023-29505.html https://www.manageengine.com/network-monitoring/help/read-me-complete.html#build_127131 • CWE-346: Origin Validation Error •
CVSS: 5.4EPSS: 0%CPEs: 14EXPL: 0CVE-2023-38331
https://notcve.org/view.php?id=CVE-2023-38331
Zoho ManageEngine Support Center Plus 14001 and below is vulnerable to stored XSS in the products module. • https://manageengine.com https://www.manageengine.com/products/service-desk/CVE-2023-38331.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •