CVSS: 4.3EPSS: 4%CPEs: 1EXPL: 3CVE-2010-3272 – ManageEngine ADSelfService Plus 4.4 - POST Manipulation Security Question
https://notcve.org/view.php?id=CVE-2010-3272
accounts/ValidateAnswers in the security-questions implementation in ZOHO ManageEngine ADSelfService Plus before 4.5 Build 4500 makes it easier for remote attackers to reset user passwords, and consequently obtain access to arbitrary user accounts, via a modified (1) Hide_Captcha or (2) quesList parameter in a validateAll action. accounts/ValidateAnswers en la implementación de seguridad-preguntas en Zoho ManageEngine ADSelfService Plus anterior a v4.5 Build 4500 facilita a los atacantes remotos restablecer las contraseñas de usuario, y en consecuencia obtener acceso a cuentas de usuario arbitrarias, a través de una modificación de los parámetros (1) Hide_Captcha o (2) quesList en una acción validateAll. • https://www.exploit-db.com/exploits/35330 http://secunia.com/advisories/43241 http://securityreason.com/securityalert/8089 http://www.coresecurity.com/content/zoho-manageengine-vulnerabilities http://www.osvdb.org/70870 http://www.securityfocus.com/archive/1/516396/100/0/threaded http://www.securityfocus.com/bid/46331 http://www.vupen.com/english/advisories/2011/0392 https://exchange.xforce.ibmcloud.com/vulnerabilities/65350 • CWE-20: Improper Input Validation •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 2CVE-2010-3273
https://notcve.org/view.php?id=CVE-2010-3273
ZOHO ManageEngine ADSelfService Plus before 4.5 Build 4500 allows remote attackers to reset user passwords, and consequently obtain access to arbitrary user accounts, by providing a user id to accounts/ValidateUser, and then providing a new password to accounts/ResetResult. Zoho ManageEngine ADSelfService Plus anterior a v4.5 Build 4500 permite a atacantes remotos restablecer las contraseñas de usuario, y en consecuencia obtener acceso a cuentas de usuario arbitrarias al proporcionar un identificador de usuario a accounts/ValidateUser, y, a continuación proporcionando una nueva contraseña para accounts/ResetResult. • http://secunia.com/advisories/43241 http://securityreason.com/securityalert/8089 http://www.coresecurity.com/content/zoho-manageengine-vulnerabilities http://www.osvdb.org/70869 http://www.securityfocus.com/archive/1/516396/100/0/threaded http://www.securityfocus.com/bid/46331 http://www.vupen.com/english/advisories/2011/0392 https://exchange.xforce.ibmcloud.com/vulnerabilities/65348 • CWE-20: Improper Input Validation •
CVSS: 4.3EPSS: 87%CPEs: 1EXPL: 5CVE-2010-3274 – ManageEngine ADSelfService Plus 4.4 - 'EmployeeSearch.cc' Multiple Cross-Site Scripting Vulnerabilities
https://notcve.org/view.php?id=CVE-2010-3274
Multiple cross-site scripting (XSS) vulnerabilities in EmployeeSearch.cc in the Employee Search Engine in ZOHO ManageEngine ADSelfService Plus before 4.5 Build 4500 allow remote attackers to inject arbitrary web script or HTML via the searchString parameter in a (1) showList or (2) Search action. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en EmployeeSearch.cc en el Employee Search Engine en ZOHO ManageEngine ADSelfService Plus anterior a v4.5 Build 4500 permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro searchString en la acción (1) showList o (2) Search. • https://www.exploit-db.com/exploits/35331 http://secunia.com/advisories/43241 http://securityreason.com/securityalert/8089 http://www.coresecurity.com/content/zoho-manageengine-vulnerabilities http://www.osvdb.org/70871 http://www.osvdb.org/70872 http://www.securityfocus.com/archive/1/516396/100/0/threaded http://www.securityfocus.com/bid/46331 http://www.vupen.com/english/advisories/2011/0392 https://exchange.xforce.ibmcloud.com/vulnerabilities/65349 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •