Severity
Medium
Analysis Summary
CVE-2023-23076 CVSS:9.8
Zoho ManageEngine Support Center Plus could allow a remote attacker to execute arbitrary commands on the system, caused by a command injection vulnerability in Executor in Action when creating new schedules. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary commands on the system.
CVE-2023-23075 CVSS:6.1
Zoho ManageEngine Asset Explorer is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the Assets Workstation component. A remote attacker could exploit this vulnerability using the name parameter to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVE-2023-23073 CVSS:6.1
Zoho ManageEngine ServiceDesk Plus is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the purchase component. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVE-2023-23074 CVSS:6.1
Zoho ManageEngine ServiceDesk Plus is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the language component. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVE-2023-23077 CVSS:6.1
Zoho ManageEngine ServiceDesk Plus is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using the comment parameter to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVE-2023-23078 CVSS:6.1
Zoho ManageEngine ServiceDesk Plus is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the Assets component. A remote attacker could exploit this vulnerability using the comment parameter to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
Impact
Command ExecutionCross-Site Scripting
Indicators Of Compromise
CVE
CVE-2023-23076CVE-2023-23075CVE-2023-23073CVE-2023-23074CVE-2023-23077CVE-2023-23078
Affected Vendors
Zoho
Affected Products
Zoho ManageEngine Support Center Plus 11Zoho ManageEngine Asset Explorer 6.9Zoho ManageEngine ServiceDesk Plus 14Zoho ManageEngine ServiceDesk Plus 13
Remediation
Refer to Zoho Website for patch, upgrade or suggested workaround information.
The post Rewterz Threat Advisory – Multiple Zoho ManageEngine Vulnerabilities first appeared on Rewterz.