4 results (0.006 seconds)

CVSS: 8.8EPSS: 0%CPEs: 7EXPL: 0

Zoho ManageEngine Applications Manager through 16530 allows reflected XSS while logged in. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ManageEngine Applications Manager. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the SingleSignOn page. The issue results from the lack of proper validation of user-supplied data, which can lead to the injection of an arbitrary script. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. • https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2023-38333.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.1EPSS: 0%CPEs: 12EXPL: 0

Zoho ManageEngine Applications Manager before 16400 allows proxy.html DOM XSS. • https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2023-29442.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0

Zoho ManageEngine Applications Manager through 16320 allows the admin user to conduct an XXE attack. • https://manageengine.com https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2023-28340.html • CWE-611: Improper Restriction of XML External Entity Reference •

CVSS: 7.2EPSS: 0%CPEs: 4EXPL: 1

ManageEngine AppManager15 (Build No:15510) allows an authenticated admin user to upload a DLL file to perform a DLL hijack attack inside the 'working' folder through the 'Upload Files / Binaries' functionality. ManageEngine AppManager15 (Build No:15510) permite a un usuario administrador autenticado subir un archivo DLL para llevar a cabo un ataque de secuestro de DLL dentro de la carpeta "working" mediante la funcionalidad "Upload Files / Binaries" • https://fluidattacks.com/advisories/cerati https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2022-23050.html • CWE-427: Uncontrolled Search Path Element •