Lucene search

K
nessusThis script is Copyright (C) 2022-2024 and is owned by Tenable, Inc. or an Affiliate thereof.MANAGEENGINE_ADAUDIT_PLUS_CVE-2022-28219_VCF.NBIN
HistoryApr 27, 2022 - 12:00 a.m.

ManageEngine ADAudit Plus < Build 7060 XXE RCE

2022-04-2700:00:00
This script is Copyright (C) 2022-2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
81

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.975 High

EPSS

Percentile

100.0%

The ManageEngine ADAudit Plus running on the remote host is affected by a remote code execution vulnerability due to the lack of proper validation of user-supplied data. An unauthenticated, remote attacker can exploit this, via specially crafted messages, to execute unauthenticated code on the remote ADAudit Plus server.

Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version.

Binary data manageengine_adaudit_plus_CVE-2022-28219_vcf.nbin
VendorProductVersionCPE
zohocorpmanageengine_adaudit_pluscpe:/a:zohocorp:manageengine_adaudit_plus

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.975 High

EPSS

Percentile

100.0%