Vulnerabilites related to ManageEngine - PAM360
CVE-2024-27312 (GCVE-0-2024-27312)
Vulnerability from cvelistv5
Published
2024-05-20 12:38
Modified
2024-10-07 11:45
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-863 - Incorrect Authorization
Summary
Zohocorp ManageEngine PAM360 version 6601 is vulnerable to authorization vulnerability which allows a low-privileged user to perform admin actions.
Note: This vulnerability affects only the PAM360 6600 version. No other versions are applicable to this vulnerability.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ManageEngine | PAM360 |
Version: 6601 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:manageengine:pam360:660q:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"product": "pam360",
"vendor": "manageengine",
"versions": [
{
"lessThan": "6601",
"status": "affected",
"version": "660q",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-27312",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-20T14:15:20.342335Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-13T15:53:35.964Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:28:00.339Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.manageengine.com/privileged-access-management/advisory/cve-2024-27312.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PAM360",
"vendor": "ManageEngine",
"versions": [
{
"lessThan": "6602",
"status": "affected",
"version": "6601",
"versionType": "6601"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eZohocorp ManageEngine PAM360 version 6601 is vulnerable to authorization vulnerability which allows a low-privileged user to perform admin actions. \u003cbr\u003eNote: This vulnerability affects only the PAM360 6600 version. No other versions are applicable to this vulnerability.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Zohocorp ManageEngine PAM360 version 6601 is vulnerable to authorization vulnerability which allows a low-privileged user to perform admin actions. \nNote: This vulnerability affects only the PAM360 6600 version. No other versions are applicable to this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-07T11:45:01.627Z",
"orgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
"shortName": "ManageEngine"
},
"references": [
{
"url": "https://www.manageengine.com/privileged-access-management/advisory/cve-2024-27312.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Authorization vulnerability in PAM360",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
"assignerShortName": "ManageEngine",
"cveId": "CVE-2024-27312",
"datePublished": "2024-05-20T12:38:26.180Z",
"dateReserved": "2024-02-23T06:13:18.186Z",
"dateUpdated": "2024-10-07T11:45:01.627Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-5546 (GCVE-0-2024-5546)
Vulnerability from cvelistv5
Published
2024-08-28 08:44
Modified
2024-08-28 13:27
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Summary
Zohocorp ManageEngine Password Manager Pro versions before 12431 and ManageEngine PAM360 versions before 7001 are affected by authenticated SQL Injection vulnerability via a global search option.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ► | ManageEngine | Password Manager Pro |
Version: 0 |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:manageengine:pam360:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "pam360",
"vendor": "manageengine",
"versions": [
{
"lessThan": "7001",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:manageengine:password_manager_pro:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "password_manager_pro",
"vendor": "manageengine",
"versions": [
{
"lessThan": "12431",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-5546",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-28T13:22:46.351173Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-28T13:27:52.940Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.manageengine.com/products/passwordmanagerpro/",
"defaultStatus": "unaffected",
"product": "Password Manager Pro",
"vendor": "ManageEngine",
"versions": [
{
"lessThan": "12431",
"status": "affected",
"version": "0",
"versionType": "12431"
}
]
},
{
"collectionURL": "https://www.manageengine.com/privileged-access-management/",
"defaultStatus": "unaffected",
"product": "PAM360",
"vendor": "ManageEngine",
"versions": [
{
"lessThan": "7001",
"status": "affected",
"version": "0",
"versionType": "7001"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eZohocorp\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eManageEngine Password Manager Pro versions \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ebefore 12431 and\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;ManageEngine PAM360 versions\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;before 7001 are affected by\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eauthenticated SQL Injection vulnerability via a global search option.\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e"
}
],
"value": "Zohocorp\u00a0ManageEngine Password Manager Pro versions before 12431 and\u00a0ManageEngine PAM360 versions\u00a0before 7001 are affected by\u00a0authenticated SQL Injection vulnerability via a global search option."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-28T08:44:09.433Z",
"orgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
"shortName": "ManageEngine"
},
"references": [
{
"url": "https://www.manageengine.com/products/passwordmanagerpro/advisory/cve-2024-5546.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "SQL Injection",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
"assignerShortName": "ManageEngine",
"cveId": "CVE-2024-5546",
"datePublished": "2024-08-28T08:44:09.433Z",
"dateReserved": "2024-05-30T19:06:01.692Z",
"dateUpdated": "2024-08-28T13:27:52.940Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-27313 (GCVE-0-2024-27313)
Vulnerability from cvelistv5
Published
2024-05-29 11:01
Modified
2024-08-02 00:27
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Summary
Zoho ManageEngine PAM360 is vulnerable to Stored XSS vulnerability. This vulnerability is applicable only in the version 6610.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ManageEngine | PAM360 |
Version: 6610 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:manageengine:pam360:660q:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "pam360",
"vendor": "manageengine",
"versions": [
{
"lessThan": "6611",
"status": "affected",
"version": "6610",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-27313",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-29T14:03:45.812914Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:47:22.712Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:27:59.908Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.manageengine.com/privileged-access-management/advisory/cve-2024-27313.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PAM360",
"vendor": "ManageEngine",
"versions": [
{
"lessThan": "6611",
"status": "affected",
"version": "6610",
"versionType": "14730"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Zoho ManageEngine PAM360 is vulnerable to Stored XSS vulnerability. This vulnerability is applicable only in the version 6610."
}
],
"value": "Zoho ManageEngine PAM360 is vulnerable to Stored XSS vulnerability. This vulnerability is applicable only in the version 6610."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-07T08:33:56.748Z",
"orgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
"shortName": "ManageEngine"
},
"references": [
{
"url": "https://www.manageengine.com/privileged-access-management/advisory/cve-2024-27313.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "XSS Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
"assignerShortName": "ManageEngine",
"cveId": "CVE-2024-27313",
"datePublished": "2024-05-29T11:01:21.278Z",
"dateReserved": "2024-02-23T06:13:18.187Z",
"dateUpdated": "2024-08-02T00:27:59.908Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}