HIGH✓ PATCH🇵🇱 Wersja polska

CVE-2023-35785

CVSS 8.1v3.1pub. 2023-08-28upd. 2024-11-21

Zoho ManageEngine Active Directory 360 versions 4315 and below, ADAudit Plus 7202 and below, ADManager Plus 7200 and below, Asset Explorer 6993 and below and 7xxx 7002 and below, Cloud Security Plus 4161 and below, Data Security Plus 6110 and below, Eventlog Analyzer 12301 and below, Exchange Reporter Plus 5709 and below, Log360 5315 and below, Log360 UEBA 4045 and below, M365 Manager Plus 4529 and below, M365 Security Plus 4529 and below, Recovery Manager Plus 6061 and below, ServiceDesk Plus 14204 and below and 143xx 14302 and below, ServiceDesk Plus MSP 14300 and below, SharePoint Manager Plus 4402 and below, and Support Center Plus 14300 and below are vulnerable to 2FA bypass via a few TOTP authenticators. Note: A valid pair of username and password is required to leverage this vulnerability.

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Zohocorp Manageengine Ad360

    APP
    Zohocorp
    4.3< 4.3
  • Zohocorp Manageengine Adaudit Plus

    APP
    Zohocorp
    7.2< 7.2
  • Zohocorp Manageengine Admanager Plus

    APP
    Zohocorp
    7.2< 7.2
  • Zohocorp Manageengine Assetexplorer

    APP
    Zohocorp
    6.97.0< 6.9
  • Zohocorp Manageengine Cloud Security Plus

    APP
    Zohocorp
    4.1< 4.1
  • Zohocorp Manageengine Datasecurity Plus

    APP
    Zohocorp
    6.1< 6.1
  • Zohocorp Manageengine Eventlog Analyzer

    APP
    Zohocorp
    12.3.0< 12.3.0
  • Zohocorp Manageengine Exchange Reporter Plus

    APP
    Zohocorp
    5.7< 5.7
  • Zohocorp Manageengine Log360

    APP
    Zohocorp
    5.3< 5.3
  • Zohocorp Manageengine Log360 Ueba

    APP
    Zohocorp
    4.0
  • Zohocorp Manageengine M365 Manager Plus

    APP
    Zohocorp
    4.5< 4.5
  • Zohocorp Manageengine M365 Security Plus

    APP
    Zohocorp
    4.5< 4.5
  • Zohocorp Manageengine Recoverymanager Plus

    APP
    Zohocorp
    6.0< 6.0
  • Zohocorp Manageengine Servicedesk Plus

    APP
    Zohocorp
    14.214.3< 14.2
  • Zohocorp Manageengine Servicedesk Plus Msp

    APP
    Zohocorp
    14.3< 14.3
  • Zohocorp Manageengine Sharepoint Manager Plus

    APP
    Zohocorp
    4.4< 4.4
  • Zohocorp Manageengine Supportcenter Plus

    APP
    Zohocorp
    14.3< 14.3
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
Auth Bypass
CWE
References

Related vulnerabilities

CVE-2022-47966CRITICAL9.8⚠ KEVten sam produkt

Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code exec...

CVE-2021-44077CRITICAL9.8⚠ KEVten sam produkt

Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus bef...

CVE-2021-37415CRITICAL9.8⚠ KEVten sam produkt

Zoho ManageEngine ServiceDesk Plus before 11302 is vulnerable to authentication bypass that allows a few REST-...

CVE-2025-3835CRITICAL9.6PL ✓ten sam produkt

RCE w module Content Search aplikacji ManageEngine Exchange Reporter Plus

CVE-2023-48792CRITICAL9.8PL ✓ten sam produkt

SQL Injection w Zoho ManageEngine ADAudit Plus — eksport raportów