Page 7 of 458 results (0.004 seconds)

CVSS: 8.8EPSS: 0%CPEs: 69EXPL: 0

Zoho ManageEngine OPManager through 126323 allows an authenticated user to achieve remote code execution via probe servers. • https://manageengine.com https://www.manageengine.com/network-monitoring/security-updates/cve-2023-31099.html •

CVSS: 6.1EPSS: 0%CPEs: 12EXPL: 0

Zoho ManageEngine Applications Manager before 16400 allows proxy.html DOM XSS. • https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2023-29442.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 4.9EPSS: 0%CPEs: 22EXPL: 0

Zoho ManageEngine ServiceDesk Plus before 14105, ServiceDesk Plus MSP before 14200, SupportCenter Plus before 14200, and AssetExplorer before 6989 allow SDAdmin attackers to conduct XXE attacks via a crafted server that sends malformed XML from a Reports integration API endpoint. • https://www.manageengine.com/products/service-desk/CVE-2023-29443.html • CWE-611: Improper Restriction of XML External Entity Reference •

CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 1

Static credentials exist in the PostgreSQL data used in ManageEngine Access Manager Plus (AMP) build 4309, ManageEngine Password Manager Pro, and ManageEngine PAM360. These credentials could allow a malicious actor to modify configuration data that would escalate their permissions from that of a low-privileged user to an Administrative user. • https://tenable.com/security/research/tra-2023-16 •

CVSS: 7.2EPSS: 77%CPEs: 33EXPL: 1

Zoho ManageEngine ADManager Plus before 7181 allows for authenticated users to exploit command injection via Proxy settings. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ManageEngine ADManager Plus. Authentication is required to exploit this vulnerability. The specific flaw exists within the ChangePasswordAction function. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. • https://github.com/ohnonoyesyes/CVE-2023-29084 http://packetstormsecurity.com/files/172755/ManageEngine-ADManager-Plus-Command-Injection.html https://manageengine.com https://www.manageengine.com/products/ad-manager/admanager-kb/cve-2023-29084.html https://hnd3884.github.io/posts/CVE-2023-29084-Command-injection-in-ManageEngine-ADManager-plus https://www.zerodayinitiative.com/advisories/ZDI-23-438 https://www.manageengine.com/products/ad-manager/release-notes.html • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •