CVSS: 8.8EPSS: 0%CPEs: 69EXPL: 0CVE-2023-31099
https://notcve.org/view.php?id=CVE-2023-31099
Zoho ManageEngine OPManager through 126323 allows an authenticated user to achieve remote code execution via probe servers. • https://manageengine.com https://www.manageengine.com/network-monitoring/security-updates/cve-2023-31099.html •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 1CVE-2023-2291
https://notcve.org/view.php?id=CVE-2023-2291
Static credentials exist in the PostgreSQL data used in ManageEngine Access Manager Plus (AMP) build 4309, ManageEngine Password Manager Pro, and ManageEngine PAM360. These credentials could allow a malicious actor to modify configuration data that would escalate their permissions from that of a low-privileged user to an Administrative user. • https://tenable.com/security/research/tra-2023-16 •
CVSS: 6.1EPSS: 0%CPEs: 12EXPL: 0CVE-2023-29442
https://notcve.org/view.php?id=CVE-2023-29442
Zoho ManageEngine Applications Manager before 16400 allows proxy.html DOM XSS. • https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2023-29442.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.9EPSS: 0%CPEs: 22EXPL: 0CVE-2023-29443
https://notcve.org/view.php?id=CVE-2023-29443
Zoho ManageEngine ServiceDesk Plus before 14105, ServiceDesk Plus MSP before 14200, SupportCenter Plus before 14200, and AssetExplorer before 6989 allow SDAdmin attackers to conduct XXE attacks via a crafted server that sends malformed XML from a Reports integration API endpoint. • https://www.manageengine.com/products/service-desk/CVE-2023-29443.html • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 7.2EPSS: 76%CPEs: 33EXPL: 1CVE-2023-29084 – ManageEngine ADManager Plus ChangePasswordAction Command Injection Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2023-29084
Zoho ManageEngine ADManager Plus before 7181 allows for authenticated users to exploit command injection via Proxy settings. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ManageEngine ADManager Plus. Authentication is required to exploit this vulnerability. The specific flaw exists within the ChangePasswordAction function. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. • https://github.com/ohnonoyesyes/CVE-2023-29084 http://packetstormsecurity.com/files/172755/ManageEngine-ADManager-Plus-Command-Injection.html https://manageengine.com https://www.manageengine.com/products/ad-manager/admanager-kb/cve-2023-29084.html https://hnd3884.github.io/posts/CVE-2023-29084-Command-injection-in-ManageEngine-ADManager-plus https://www.zerodayinitiative.com/advisories/ZDI-23-438 https://www.manageengine.com/products/ad-manager/release-notes.html • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •