CVE-2023-28341
https://notcve.org/view.php?id=CVE-2023-28341
Stored Cross site scripting (XSS) vulnerability in Zoho ManageEngine Applications Manager through 16340 allows an unauthenticated user to inject malicious javascript on the incorrect login details page. • https://manageengine.com https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2023-28341.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2023-28340
https://notcve.org/view.php?id=CVE-2023-28340
Zoho ManageEngine Applications Manager through 16320 allows the admin user to conduct an XXE attack. • https://manageengine.com https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2023-28340.html • CWE-611: Improper Restriction of XML External Entity Reference •
CVE-2023-28342 – ManageEngine ADSelfService Plus DomainUserSSPLogonAuth Improper Input Validation Denial-of-Service Vulnerability
https://notcve.org/view.php?id=CVE-2023-28342
Zoho ManageEngine ADSelfService Plus before 6218 allows anyone to conduct a Denial-of-Service attack via the Mobile App Authentication API. This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of ManageEngine ADSelfService Plus. Authentication is not required to exploit this vulnerability. The specific flaw exists within the DomainUserSSPLogonAuth method. The issue results from improper input validation. An attacker can leverage this vulnerability to create a denial-of-service condition on the system. • https://manageengine.com https://www.manageengine.com/products/self-service-password/advisory/CVE-2023-28342.html •
CVE-2022-43473
https://notcve.org/view.php?id=CVE-2022-43473
A blind XML External Entity (XXE) vulnerability exists in the Add UCS Device functionality of ManageEngine OpManager 12.6.168. A specially crafted XML file can lead to SSRF. An attacker can serve a malicious XML payload to trigger this vulnerability. • https://talosintelligence.com/vulnerability_reports/TALOS-2022-1685 https://www.manageengine.com/itom/advisory/cve-2022-43473.html • CWE-611: Improper Restriction of XML External Entity Reference •
CVE-2022-36413
https://notcve.org/view.php?id=CVE-2022-36413
Zoho ManageEngine ADSelfService Plus through 6203 is vulnerable to a brute-force attack that leads to a password reset on IDM applications. • https://www.manageengine.com/products/self-service-password/advisory/CVE-2022-36413.html • CWE-307: Improper Restriction of Excessive Authentication Attempts •