Zoho ManageEngine ADSelfService Plus before build 6122 allows a remote authenticated administrator to execute arbitrary operating OS commands as SYSTEM via the policy custom script feature. Due to the use of a default administrator password, attackers may be able to abuse this functionality with minimal effort. Additionally, a remote and partially authenticated attacker may be able to inject arbitrary commands into the custom script due to an unsanitized password field.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2022-04-18T12:22:59

Updated: 2024-08-03T06:03:52.963Z

Reserved: 2022-04-08T00:00:00

Link: CVE-2022-28810

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2022-04-18T13:15:08.233

Modified: 2023-08-08T14:21:49.707

Link: CVE-2022-28810

cve-icon Redhat

No data.