CVSS: 8.8EPSS: 6%CPEs: 7EXPL: 0CVE-2023-38333 – ManageEngine Applications Manager SingleSignOn Cross-Site Scripting Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2023-38333
10 Aug 2023 — Zoho ManageEngine Applications Manager through 16530 allows reflected XSS while logged in. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ManageEngine Applications Manager. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the SingleSignOn page. The issue results from the lack of proper validation of user-supplied data, which can lead to the inj... • https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2023-38333.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 1CVE-2023-32783
https://notcve.org/view.php?id=CVE-2023-32783
07 Aug 2023 — The event analysis component in Zoho ManageEngine ADAudit Plus 7.1.1 allows an attacker to bypass audit detection by creating or renaming user accounts with a "$" symbol suffix. NOTE: the vendor states "We do not consider this as a security bug and it's an expected behaviour." • https://www.peteslade.com/post/manageengine-adauditplus-cve-2023-32783 • CWE-863: Incorrect Authorization •
CVSS: 6.8EPSS: 1%CPEs: 3EXPL: 0CVE-2023-38332
https://notcve.org/view.php?id=CVE-2023-38332
04 Aug 2023 — Zoho ManageEngine ADManager Plus through 7201 allow authenticated users to take over another user's account via sensitive information disclosure. ADManager Plus de ManageEngine de Zoho a través de 7201 permiten a los usuarios autenticados hacerse cargo de la cuenta de otro usuario a través de la divulgación de información sensible. • https://manageengine.com •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-29505
https://notcve.org/view.php?id=CVE-2023-29505
04 Aug 2023 — An issue was discovered in Zoho ManageEngine Network Configuration Manager 12.6.165. The WebSocket endpoint allows Cross-site WebSocket hijacking. Se ha descubierto un problema en Network Configuration Manager 12.6.165 de ManageEngine de Zoho. El WebSocket endpoint permite Cross-site WebSocket hijacking. • https://excellium-services.com/cert-xlm-advisory/CVE-2023-29505 • CWE-346: Origin Validation Error •
CVSS: 5.5EPSS: 2%CPEs: 14EXPL: 0CVE-2023-38331
https://notcve.org/view.php?id=CVE-2023-38331
28 Jul 2023 — Zoho ManageEngine Support Center Plus 14001 and below is vulnerable to stored XSS in the products module. • https://manageengine.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 10EXPL: 0CVE-2023-34197
https://notcve.org/view.php?id=CVE-2023-34197
07 Jul 2023 — Zoho ManageEngine ServiceDesk Plus before 14202, ServiceDesk Plus MSP before 14300, and SupportCenter Plus before 14300 have a privilege escalation vulnerability in the Release module that allows unprivileged users to access the Reminders of a release ticket and make modifications. • https://www.manageengine.com/products/service-desk/CVE-2023-34197.html • CWE-863: Incorrect Authorization •
CVSS: 5.5EPSS: 1%CPEs: 25EXPL: 0CVE-2023-37308
https://notcve.org/view.php?id=CVE-2023-37308
07 Jul 2023 — Zoho ManageEngine ADAudit Plus before 7100 allows XSS via the username field. • https://www.manageengine.com/products/active-directory-audit/cve-2023-37308.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 36EXPL: 0CVE-2023-35786
https://notcve.org/view.php?id=CVE-2023-35786
05 Jul 2023 — Zoho ManageEngine ADManager Plus before 7183 allows admin users to exploit an XXE issue to view files. • https://www.manageengine.com/products/ad-manager/admanager-kb/cve-2023-35786.html • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2023-35719 – ManageEngine ADSelfService Plus GINA Client Insufficient Verification of Data Authenticity Authentication Bypass Vulnerability
https://notcve.org/view.php?id=CVE-2023-35719
21 Jun 2023 — ManageEngine ADSelfService Plus GINA Client Insufficient Verification of Data Authenticity Authentication Bypass Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of ManageEngine ADSelfService Plus. Authentication is not required to exploit this vulnerability. The specific flaw exists within the Password Reset Portal used by the GINA client. The issue results from the lack of proper authentication of data received via HTTP. • https://www.manageengine.com/products/self-service-password/kb/our-response-to-CVE-2023-35719.html • CWE-345: Insufficient Verification of Data Authenticity •
CVSS: 10.0EPSS: 4%CPEs: 15EXPL: 1CVE-2023-35854
https://notcve.org/view.php?id=CVE-2023-35854
20 Jun 2023 — Zoho ManageEngine ADSelfService Plus through 6113 has an authentication bypass that can be exploited to steal the domain controller session token for identity spoofing, thereby achieving the privileges of the domain controller administrator. NOTE: the vendor's perspective is that they have "found no evidence or detail of a security vulnerability." • https://github.com/bluestarry33/exp • CWE-306: Missing Authentication for Critical Function •