CVSS: 5.4EPSS: 0%CPEs: 25EXPL: 0CVE-2023-37308
https://notcve.org/view.php?id=CVE-2023-37308
Zoho ManageEngine ADAudit Plus before 7100 allows XSS via the username field. • https://www.manageengine.com/products/active-directory-audit/cve-2023-37308.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 10EXPL: 0CVE-2023-34197
https://notcve.org/view.php?id=CVE-2023-34197
Zoho ManageEngine ServiceDesk Plus before 14202, ServiceDesk Plus MSP before 14300, and SupportCenter Plus before 14300 have a privilege escalation vulnerability in the Release module that allows unprivileged users to access the Reminders of a release ticket and make modifications. • https://www.manageengine.com/products/service-desk/CVE-2023-34197.html •
CVSS: 4.9EPSS: 0%CPEs: 36EXPL: 0CVE-2023-35786
https://notcve.org/view.php?id=CVE-2023-35786
Zoho ManageEngine ADManager Plus before 7183 allows admin users to exploit an XXE issue to view files. • https://www.manageengine.com/products/ad-manager/admanager-kb/cve-2023-35786.html • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-35719 – ManageEngine ADSelfService Plus GINA Client Insufficient Verification of Data Authenticity Authentication Bypass Vulnerability
https://notcve.org/view.php?id=CVE-2023-35719
ManageEngine ADSelfService Plus GINA Client Insufficient Verification of Data Authenticity Authentication Bypass Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of ManageEngine ADSelfService Plus. Authentication is not required to exploit this vulnerability. The specific flaw exists within the Password Reset Portal used by the GINA client. The issue results from the lack of proper authentication of data received via HTTP. An attacker can leverage this vulnerability to bypass authentication and execute code in the context of SYSTEM. • https://www.manageengine.com/products/self-service-password/kb/our-response-to-CVE-2023-35719.html https://www.zerodayinitiative.com/advisories/ZDI-23-891 • CWE-345: Insufficient Verification of Data Authenticity •
CVSS: 9.8EPSS: 7%CPEs: 15EXPL: 0CVE-2023-35854
https://notcve.org/view.php?id=CVE-2023-35854
Zoho ManageEngine ADSelfService Plus through 6113 has an authentication bypass that can be exploited to steal the domain controller session token for identity spoofing, thereby achieving the privileges of the domain controller administrator. NOTE: the vendor's perspective is that they have "found no evidence or detail of a security vulnerability." • https://github.com/970198175/Simply-use https://www.manageengine.com • CWE-306: Missing Authentication for Critical Function •