CVSS: 10.0EPSS: 0%CPEs: 8EXPL: 0CVE-2021-33055
https://notcve.org/view.php?id=CVE-2021-33055
Zoho ManageEngine ADSelfService Plus through 6102 allows unauthenticated remote code execution in non-English editions. Zoho ManageEngine ADSelfService Plus versiones hasta 6102, permite una ejecución de código remota no autenticado en ediciones no Inglesas. • https://blog.stmcyber.com/vulns/cve-2021-33055 https://pitstop.manageengine.com/portal/en/community/topic/adselfservice-plus-6104-released • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.3EPSS: 0%CPEs: 1EXPL: 1CVE-2021-33256
https://notcve.org/view.php?id=CVE-2021-33256
A CSV injection vulnerability on the login panel of ManageEngine ADSelfService Plus Version: 6.1 Build No: 6101 can be exploited by an unauthenticated user. The j_username parameter seems to be vulnerable and a reverse shell could be obtained if a privileged user exports "User Attempts Audit Report" as CSV file. Note: The vendor disputes this vulnerability, claiming "This is not a valid vulnerability in our ADSSP product. We don't see this as a security issue at our side. ** EN DISPUTA ** Una vulnerabilidad de inyección CSV en el panel de inicio de sesión de ManageEngine ADSelfService Plus Versión: 6.1 Build No: 6101, puede ser explotada por un usuario no autenticado. El parámetro j_username parece ser vulnerable y se podría obtener un shell inverso si un usuario con privilegios exporta "User Attempts Audit Report" como archivo CSV. • https://docs.unsafe-inline.com/0day/manageengine-adselfservice-plus-6.1-csv-injection • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •
CVSS: 5.9EPSS: 1%CPEs: 6EXPL: 1CVE-2021-31874
https://notcve.org/view.php?id=CVE-2021-31874
Zoho ManageEngine ADSelfService Plus before 6104, in rare situations, allows attackers to obtain sensitive information about the password-sync database application. Zoho ManageEngine ADSelfService Plus versiones anteriores a 6104, en raras situaciones, permite a atacantes obtener información confidencial sobre la aplicación de base de datos de sincronización de contraseñas • https://blog.stmcyber.com/vulns/cve-2021-31874 https://pitstop.manageengine.com/portal/en/community/topic/adselfservice-plus-6104-released-with-an-important-security-fixes •
CVSS: 9.8EPSS: 2%CPEs: 164EXPL: 0CVE-2021-28958
https://notcve.org/view.php?id=CVE-2021-28958
Zoho ManageEngine ADSelfService Plus through 6101 is vulnerable to unauthenticated Remote Code Execution while changing the password. Zoho ManageEngine ADSelfService Plus versiones hasta 6101, es vulnerable a una Ejecución de Código Remota no autenticada mientras se cambia la contraseña • https://blog.stmcyber.com/vulns/cve-2021-28958 https://pitstop.manageengine.com/portal/en/community/topic/adselfservice-plus-6102-released-with-an-important-security-fix-21-3-2021 https://www.manageengine.com https://www.manageengine.com/products/self-service-password/release-notes.html#6102 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 1CVE-2021-27956
https://notcve.org/view.php?id=CVE-2021-27956
Zoho ManageEngine ADSelfService Plus before 6104 allows stored XSS on the /webclient/index.html#/directory-search user search page via the e-mail address field. Zoho ManageEngine ADSelfService Plus versiones anteriores a 6104, permite un ataque de tipo XSS almacenado en la página de búsqueda de usuarios /webclient/index.html#/directory-search por medio del campo e-mail address • https://pitstop.manageengine.com/portal/en/community/topic/adselfservice-plus-6104-released-with-an-important-security-fixes https://raxis.com/blog/cve-2021-27956-manage-engine-xss https://www.manageengine.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •