CVSS: 5.5EPSS: 0%CPEs: 788EXPL: 1CVE-2023-6105 – ManageEngine Information Disclosure in Multiple Products
https://notcve.org/view.php?id=CVE-2023-6105
15 Nov 2023 — An information disclosure vulnerability exists in multiple ManageEngine products that can result in encryption keys being exposed. A low-privileged OS user with access to the host where an affected ManageEngine product is installed can view and use the exposed key to decrypt product database passwords. This allows the user to access the ManageEngine product database. Existe una vulnerabilidad de divulgación de información en varios productos ManageEngine que puede provocar la exposición de claves de cifrado... • https://www.manageengine.com/security/advisory/CVE/CVE-2023-6105.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 10.0EPSS: 94%CPEs: 158EXPL: 14CVE-2022-47966 – Zoho ManageEngine Multiple Products Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2022-47966
18 Jan 2023 — Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache Santuario xmlsec (aka XML Security for Java) 1.4.1, because the xmlsec XSLT features, by design in that version, make the application responsible for certain security protections, and the ManageEngine applications did not provide those protections. This affects Access Manager Plus before 4308, Active Directory 360 before 4310, ADAudit Plus before 7081, ADManager Plus befor... • https://packetstorm.news/files/id/170925 • CWE-20: Improper Input Validation •
CVSS: 5.3EPSS: 5%CPEs: 1EXPL: 1CVE-2022-26653
https://notcve.org/view.php?id=CVE-2022-26653
16 Apr 2022 — Zoho ManageEngine Remote Access Plus before 10.1.2137.15 allows guest users to view domain details (such as the username and GUID of an administrator). Zoho ManageEngine Remote Access Plus versiones anteriores a 10.1.2137.15, permite a usuarios invitados visualizar los detalles del dominio (como el nombre de usuario y el GUID de un administrador) • https://raxis.com/blog/cve-2022-26653-and-cve-2022-26777 • CWE-425: Direct Request ('Forced Browsing') •
CVSS: 5.3EPSS: 5%CPEs: 1EXPL: 1CVE-2022-26777
https://notcve.org/view.php?id=CVE-2022-26777
16 Apr 2022 — Zoho ManageEngine Remote Access Plus before 10.1.2137.15 allows guest users to view license details. Zoho ManageEngine Remote Access Plus versiones anteriores a 10.1.2137.15, permite a usuarios invitados visualizar los detalles de la licencia • https://raxis.com/blog/cve-2022-26653-and-cve-2022-26777 • CWE-425: Direct Request ('Forced Browsing') •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 1CVE-2021-42955
https://notcve.org/view.php?id=CVE-2021-42955
17 Nov 2021 — Zoho Remote Access Plus Server Windows Desktop binary fixed in version 10.1.2132 is affected by an unauthorized password reset vulnerability. Because of the designed password reset mechanism, any non-admin Windows user can reset the password of the Remote Access Plus Server Admin account. Zoho Remote Access Plus Server Windows Desktop binary corregido en versión 10.1.2132, está afectado por una vulnerabilidad de restablecimiento de contraseña no autorizada. Debido al mecanismo de restablecimiento de contras... • https://medium.com/nestedif/vulnerability-disclosure-improper-acl-unauthorized-password-reset-zoho-r-a-p-62efcdceb7a6 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 1CVE-2021-42954
https://notcve.org/view.php?id=CVE-2021-42954
17 Nov 2021 — Zoho Remote Access Plus Server Windows Desktop Binary fixed from 10.1.2121.1 is affected by incorrect access control. The installation directory is vulnerable to weak file permissions by allowing full control for Windows Everyone user group (non-admin or any guest users), thereby allowing privilege escalation, unauthorized password reset, stealing of sensitive data, access to credentials in plaintext, access to registry values, tampering with configuration files, etc. Zoho Remote Access Plus Server Windows ... • https://medium.com/nestedif/vulnerability-disclosure-improper-filesystem-permission-misconfigured-acls-zoho-r-a-p-56e195464b51 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 7.5EPSS: 11%CPEs: 1EXPL: 1CVE-2021-41827
https://notcve.org/view.php?id=CVE-2021-41827
30 Sep 2021 — Zoho ManageEngine Remote Access Plus before 10.1.2121.1 has hardcoded credentials for read-only access. The credentials are in the source code that corresponds to the DCBackupRestore JAR archive. Zoho ManageEngine Remote Access Plus versiones anteriores a 10.1.2121.1, presenta credenciales embebidas para el acceso de sólo lectura. Las credenciales están en el código fuente que corresponde al archivo JAR DCBackupRestore • https://medium.com/nestedif/vulnerability-disclosure-hardcoded-keys-password-zoho-r-a-p-318aa9bba2e • CWE-798: Use of Hard-coded Credentials •
CVSS: 7.5EPSS: 11%CPEs: 1EXPL: 1CVE-2021-41828
https://notcve.org/view.php?id=CVE-2021-41828
30 Sep 2021 — Zoho ManageEngine Remote Access Plus before 10.1.2121.1 has hardcoded credentials associated with resetPWD.xml. Zoho ManageEngine Remote Access Plus versiones anteriores a 10.1.2121.1, presenta credenciales embebidas asociadas al archivo resetPWD.xml • https://medium.com/nestedif/vulnerability-disclosure-hardcoded-keys-password-zoho-r-a-p-318aa9bba2e • CWE-798: Use of Hard-coded Credentials •
CVSS: 7.5EPSS: 6%CPEs: 1EXPL: 1CVE-2021-41829
https://notcve.org/view.php?id=CVE-2021-41829
30 Sep 2021 — Zoho ManageEngine Remote Access Plus before 10.1.2121.1 relies on the application's build number to calculate a certain encryption key. Zoho ManageEngine Remote Access Plus versiones anteriores a 10.1.2121.1, es basado en el número de compilación de la aplicación para calcular una determinada clave de cifrado • https://medium.com/nestedif/vulnerability-disclosure-statically-derived-encryption-key-zoho-r-a-p-907088263197 • CWE-330: Use of Insufficiently Random Values •
CVSS: 4.8EPSS: 13%CPEs: 1EXPL: 1CVE-2019-16268
https://notcve.org/view.php?id=CVE-2019-16268
03 Feb 2021 — Zoho ManageEngine Remote Access Plus 10.0.259 allows HTML injection via the Description field on the Admin - User Administration userMgmt.do?actionToCall=ShowUser screen. Zoho ManageEngine Remote Access Plus versión 10.0.259, permite una inyección HTML por medio del campo Description en la pantalla Admin - User Administration userMgmt.do?actionToCall=ShowUser • https://www.esecforte.com/responsible-vulnerability-disclosure-cve-2019-16268-html-injection-vulnerability-in-manageengine-remote-access-plus • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •