Zoho ManageEngine ADSelfService Plus before build 6122 allows a remote authenticated administrator to execute arbitrary operating OS commands as SYSTEM via the policy custom script feature. Due to the use of a default administrator password, attackers may be able to abuse this functionality with minimal effort. Additionally, a remote and partially authenticated attacker may be able to inject arbitrary commands into the custom script due to an unsanitized password field.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: mitre
Published: 2022-04-18T12:22:59
Updated: 2024-08-03T06:03:52.963Z
Reserved: 2022-04-08T00:00:00
Link: CVE-2022-28810
Vulnrichment
No data.
NVD
Status : Analyzed
Published: 2022-04-18T13:15:08.233
Modified: 2023-08-08T14:21:49.707
Link: CVE-2022-28810
Redhat
No data.