Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
7.1
CVSSv2

CVE-2022-28810

Published: 18/04/2022 Updated: 08/08/2023
CVSS v2 Base Score: 7.1 | Impact Score: 10 | Exploitability Score: 3.9
CVSS v3 Base Score: 6.8 | Impact Score: 5.9 | Exploitability Score: 0.9
VMScore: 632
Vector: AV:N/AC:H/Au:S/C:C/I:C/A:C
Subscribe to Manageengine Adselfservice Plus

Vulnerability Summary

Zoho ManageEngine ADSelfService Plus before build 6122 allows a remote authenticated administrator to execute arbitrary operating OS commands as SYSTEM via the policy custom script feature. Due to the use of a default administrator password, attackers may be able to abuse this functionality with minimal effort. Additionally, a remote and partially authenticated attacker may be able to inject arbitrary commands into the custom script due to an unsanitized password field.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

zohocorp manageengine adselfservice plus 6.1

zohocorp manageengine adselfservice plus

Exploits

Exploit DB: ManageEngine ADSelfService Plus Custom Script Execution
This Metasploit module exploits the "custom script" feature of ADSelfService Plus The feature was removed in build 6122 as part of the patch for CVE-2022-28810 For purposes of this module, a "custom script" is arbitrary operating system command execution This module uses an attacker provided "admin" account to insert the malicious payload into t ...

References

CWE-78CWE-798https://www.manageengine.com/products/self-service-password/kb/cve-2022-28810.htmlhttp://packetstormsecurity.com/files/166816/ManageEngine-ADSelfService-Plus-Custom-Script-Execution.htmlhttps://github.com/rapid7/metasploit-framework/pull/16475https://www.rapid7.com/blog/post/2022/04/14/cve-2022-28810-manageengine-adselfservice-plus-authenticated-command-execution-fixed/https://nvd.nist.govhttps://packetstormsecurity.com/files/166816/ManageEngine-ADSelfService-Plus-Custom-Script-Execution.html
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2023-21991CVE-2024-32674path traversalCVE-2023-21987denial of servicedosCVE-2024-4647CVE-2024-25519CVE-2024-33612
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook