OS Command Injection in Zoho ManageEngine ADManager Plus - CVE-2023-29084
Published: April 12, 2023 / Updated: June 21, 2024
Vulnerability identifier: #VU75050
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Clear
CVE-ID: CVE-2023-29084
CWE-ID: CWE-78
Exploitation vector: Remote access
Exploit availability:
Public exploit is available
Vendor: Zoho Corporation
Affected software:
Zoho ManageEngine ADManager Plus
Zoho ManageEngine ADManager Plus
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation within the ChangePasswordAction function. A remote privileged user can pass specially crafted data to the application and execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
How to mitigate CVE-2023-29084
Install updates from vendor's website.