- 41/2024
- High
ManageEngine has released security updates to address several vulnerabilitiesacross multiple products such as ADAudit Plus and ADSelfService Plus.
The addressed vulnerabilities could allow the remote attacker to manipulate data and view, add, modify, or delete information in the back-end database by sending a specially crafted SQL statement, or execute arbitrary code, and gain access to the affected system.
Sample of the addressed vulnerabilities:
1. ManageEngine ADSelfService Plus Code Execution Vulnerability (CVE-2024- 0252):
- CVSS: 8.8
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Consequences: Gain Access
2. ManageEngine ADAudit Plus SQL Injection Vulnerability (CVE-2024-0253):
- CVSS: 8.3
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Consequences: Data Manipulation
Vulnerabilities
- CVE-2024-0253
- CVE-2024-0252
- CVE-2024-21733
- CVE-2024-0269
- CVE-2023-48793
- CVE-2023-48792
- CVE-2023-49334
- CVE-2023-49330
- CVE-2023-49333
- CVE-2023-49332
- CVE-2023-49331
- CVE-2023-49335
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.