Severity
High
Analysis Summary
CVE-2022-28810 CVSS:7.2
ManageEngine ADSelfService Plus could allow a remote authenticated attacker to execute arbitrary commands on the system, caused by a flaw when post-action custom scripts are enabled. By sending a specially-crafted request during password reset and password change, an attacker could exploit this vulnerability to execute arbitrary commands on the system.
CVE-2021-44515 CVSS:9.8
Zoho ManageEngine Desktop Central MSP could allow a remote attacker to execute arbitrary code on the system, caused by an authentication bypass flaw. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass authentication and execute arbitrary code in the Desktop Central MSP server.
CVE-2021-37415 CVSS:9.8
Zoho ManageEngine ServiceDesk Plus could allow a remote attacker to bypass security restrictions. An attacker could exploit this vulnerability to allow a few REST-API URLs without authentication.
CVE-2021-44077 CVSS:9.8
Zoho ManageEngine ServiceDesk Plus, ServiceDesk Plus MSP and SupportCenter Plus could allow a remote attacker to execute arbitrary code on the system, caused by improper input validation by the /RestAPI URLs in a servlet and ImportTechnicians in the Struts configuration. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
Impact
- Code Execution
- Security Bypass
Indicators Of Compromise
CVE
- CVE-2022-28810
- CVE-2021-44515
- CVE-2021-37415
- CVE-2021-44077
Affected Vendors
Zoho
Affected Products
- ManageEngine ADSelfService Plus Build 6121
- Zoho ManageEngine Desktop Central MSP
- Zoho ManageEngine ServiceDesk Plus 11301
- Zoho ManageEngine ServiceDesk Plus 11305
- Zoho ManageEngine ServiceDesk Plus MSP 10527
- Zoho ManageEngine ServiceDesk Plus MSP 10529
- Zoho ManageEngine SupportCenter Plus 11012
- Zoho ManageEngine SupportCenter Plus 11013
Remediation
Refer to ManageEngine Web site for patch, upgrade or suggested workaround information.