CVE-2023-38333 – ManageEngine Applications Manager SingleSignOn Cross-Site Scripting Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2023-38333
Zoho ManageEngine Applications Manager through 16530 allows reflected XSS while logged in. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ManageEngine Applications Manager. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the SingleSignOn page. The issue results from the lack of proper validation of user-supplied data, which can lead to the injection of an arbitrary script. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. • https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2023-38333.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2023-29442
https://notcve.org/view.php?id=CVE-2023-29442
Zoho ManageEngine Applications Manager before 16400 allows proxy.html DOM XSS. • https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2023-29442.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2023-28340
https://notcve.org/view.php?id=CVE-2023-28340
Zoho ManageEngine Applications Manager through 16320 allows the admin user to conduct an XXE attack. • https://manageengine.com https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2023-28340.html • CWE-611: Improper Restriction of XML External Entity Reference •
CVE-2023-28341
https://notcve.org/view.php?id=CVE-2023-28341
Stored Cross site scripting (XSS) vulnerability in Zoho ManageEngine Applications Manager through 16340 allows an unauthenticated user to inject malicious javascript on the incorrect login details page. • https://manageengine.com https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2023-28341.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-23050
https://notcve.org/view.php?id=CVE-2022-23050
ManageEngine AppManager15 (Build No:15510) allows an authenticated admin user to upload a DLL file to perform a DLL hijack attack inside the 'working' folder through the 'Upload Files / Binaries' functionality. ManageEngine AppManager15 (Build No:15510) permite a un usuario administrador autenticado subir un archivo DLL para llevar a cabo un ataque de secuestro de DLL dentro de la carpeta "working" mediante la funcionalidad "Upload Files / Binaries" • https://fluidattacks.com/advisories/cerati https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2022-23050.html • CWE-427: Uncontrolled Search Path Element •