CVSS: 9.0EPSS: 0%CPEs: 3EXPL: 0CVE-2024-0252 – Remote code execution
https://notcve.org/view.php?id=CVE-2024-0252
11 Jan 2024 — ManageEngine ADSelfService Plus versions 6401 and below are vulnerable to the remote code execution due to the improper handling in the load balancer component. Authentication is required in order to exploit this vulnerability. Las versiones 6401 e inferiores de ManageEngine ADSelfService Plus son vulnerables a la ejecución remota de código debido al manejo inadecuado en el componente del balanceador de carga. ManageEngine ADSelfService Plus versions 6401 and below are vulnerable to the remote code executio... • https://www.manageengine.com/products/self-service-password/advisory/CVE-2024-0252.html • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.5EPSS: 0%CPEs: 788EXPL: 1CVE-2023-6105 – ManageEngine Information Disclosure in Multiple Products
https://notcve.org/view.php?id=CVE-2023-6105
15 Nov 2023 — An information disclosure vulnerability exists in multiple ManageEngine products that can result in encryption keys being exposed. A low-privileged OS user with access to the host where an affected ManageEngine product is installed can view and use the exposed key to decrypt product database passwords. This allows the user to access the ManageEngine product database. Existe una vulnerabilidad de divulgación de información en varios productos ManageEngine que puede provocar la exposición de claves de cifrado... • https://www.manageengine.com/security/advisory/CVE/CVE-2023-6105.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 10.0EPSS: 3%CPEs: 15EXPL: 1CVE-2023-35854
https://notcve.org/view.php?id=CVE-2023-35854
20 Jun 2023 — Zoho ManageEngine ADSelfService Plus through 6113 has an authentication bypass that can be exploited to steal the domain controller session token for identity spoofing, thereby achieving the privileges of the domain controller administrator. NOTE: the vendor's perspective is that they have "found no evidence or detail of a security vulnerability." • https://github.com/bluestarry33/exp • CWE-306: Missing Authentication for Critical Function •
CVSS: 7.8EPSS: 0%CPEs: 204EXPL: 0CVE-2023-28342 – ManageEngine ADSelfService Plus DomainUserSSPLogonAuth Improper Input Validation Denial-of-Service Vulnerability
https://notcve.org/view.php?id=CVE-2023-28342
05 Apr 2023 — Zoho ManageEngine ADSelfService Plus before 6218 allows anyone to conduct a Denial-of-Service attack via the Mobile App Authentication API. This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of ManageEngine ADSelfService Plus. Authentication is not required to exploit this vulnerability. The specific flaw exists within the DomainUserSSPLogonAuth method. The issue results from improper input validation. An attacker can leverage this vulnerability to c... • https://manageengine.com • CWE-400: Uncontrolled Resource Consumption •
CVSS: 9.4EPSS: 1%CPEs: 19EXPL: 0CVE-2022-36413
https://notcve.org/view.php?id=CVE-2022-36413
23 Mar 2023 — Zoho ManageEngine ADSelfService Plus through 6203 is vulnerable to a brute-force attack that leads to a password reset on IDM applications. • https://www.manageengine.com/products/self-service-password/advisory/CVE-2022-36413.html • CWE-307: Improper Restriction of Excessive Authentication Attempts •
CVSS: 10.0EPSS: 97%CPEs: 158EXPL: 14CVE-2022-47966 – Zoho ManageEngine Multiple Products Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2022-47966
18 Jan 2023 — Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache Santuario xmlsec (aka XML Security for Java) 1.4.1, because the xmlsec XSLT features, by design in that version, make the application responsible for certain security protections, and the ManageEngine applications did not provide those protections. This affects Access Manager Plus before 4308, Active Directory 360 before 4310, ADAudit Plus before 7081, ADManager Plus befor... • https://packetstorm.news/files/id/170925 • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2022-34829
https://notcve.org/view.php?id=CVE-2022-34829
04 Jul 2022 — Zoho ManageEngine ADSelfService Plus before 6203 allows a denial of service (application restart) via a crafted payload to the Mobile App Deployment API. Zoho ManageEngine ADSelfService Plus versiones anteriores a 6203, permite una denegación de servicio (reinicio de la aplicación) por medio de una carga útil diseñada para la API de despliegue de aplicaciones móviles • https://www.manageengine.com/products/self-service-password/advisory/CVE-2022-34829.html •
CVSS: 8.8EPSS: 1%CPEs: 64EXPL: 4CVE-2022-29457 – ManageEngine ADSelfService Plus Build 6118 - NTLMv2 Hash Exposure
https://notcve.org/view.php?id=CVE-2022-29457
18 Apr 2022 — Zoho ManageEngine ADSelfService Plus before 6121, ADAuditPlus 7060, Exchange Reporter Plus 5701, and ADManagerPlus 7131 allow NTLM Hash disclosure during certain storage-path configuration steps. Zoho ManageEngine ADSelfService Plus versiones anteriores a 6121, ADAuditPlus versión 7060, Exchange Reporter Plus versión 5701, y ADManagerPlus versión 7131, permiten una divulgación de NTLM Hash durante determinados pasos de configuración de la ruta de almacenamiento ManageEngine ADSelfService Plus build 6118 suf... • https://packetstorm.news/files/id/167051 • CWE-522: Insufficiently Protected Credentials •
CVSS: 7.1EPSS: 91%CPEs: 24EXPL: 4CVE-2022-28810 – Zoho ManageEngine ADSelfService Plus Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2022-28810
18 Apr 2022 — Zoho ManageEngine ADSelfService Plus before build 6122 allows a remote authenticated administrator to execute arbitrary operating OS commands as SYSTEM via the policy custom script feature. Due to the use of a default administrator password, attackers may be able to abuse this functionality with minimal effort. Additionally, a remote and partially authenticated attacker may be able to inject arbitrary commands into the custom script due to an unsanitized password field. Zoho ManageEngine ADSelfService Plus ... • https://packetstorm.news/files/id/166816 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-798: Use of Hard-coded Credentials •
CVSS: 6.1EPSS: 0%CPEs: 23EXPL: 1CVE-2022-24681
https://notcve.org/view.php?id=CVE-2022-24681
07 Apr 2022 — Zoho ManageEngine ADSelfService Plus before 6121 allows XSS via the welcome name attribute to the Reset Password, Unlock Account, or User Must Change Password screen. Zoho ManageEngine ADSelfService Plus versiones anteriores a 6121, permite un ataque de tipo XSS por medio del atributo welcome name en la pantalla Reset Password, Unlock Account, o User Must Change Password • https://manageengine.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •