Skip to main content

Manageengine Supportcenter Plus CVE-2023-23076

CRITICAL
OS Command Injection (CWE-78)
2023-02-01 cve@mitre.org
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Feb 01, 2023 - 20:15 nvd
CRITICAL 9.8

DescriptionNVD

OS Command injection vulnerability in Support Center Plus 11 via Executor in Action when creating new schedules.

AnalysisAI

OS Command injection vulnerability in Support Center Plus 11 via Executor in Action when creating new schedules. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as OS Command Injection (CWE-78), which allows attackers to execute arbitrary operating system commands on the host. OS Command injection vulnerability in Support Center Plus 11 via Executor in Action when creating new schedules. Affected products include: Zohocorp Manageengine Supportcenter Plus.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Avoid passing user input to shell commands. Use language-specific APIs instead of shell execution. Apply strict input validation with allowlists.

CVE-2014-100002 MEDIUM POC
5.0 Jan 13

Directory traversal vulnerability in ManageEngine SupportCenter Plus 7.9 before 7917 allows remote attackers to read arb

CVE-2015-5149 MEDIUM POC
5.5 Jun 30

Directory traversal vulnerability in Zoho ManageEngine SupportCenter Plus 7.90 allows remote authenticated users to writ

CVE-2021-44077 CRITICAL POC
9.8 Nov 29

Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014

CVE-2022-36412 CRITICAL
9.8 Jul 26

In Zoho ManageEngine SupportCenter Plus before 11023, V3 API requests are vulnerable to authentication bypass. Rated cri

CVE-2023-6105 MEDIUM POC
5.5 Nov 15

An information disclosure vulnerability exists in multiple ManageEngine products that can result in encryption keys bein

CVE-2022-25373 MEDIUM POC
5.4 Apr 05

Zoho ManageEngine SupportCenter Plus before 11020 allows Stored XSS in the request history. Rated medium severity (CVSS

CVE-2022-40773 HIGH
8.8 Nov 12

Zoho ManageEngine ServiceDesk Plus MSP before 10609 and SupportCenter Plus before 11025 are vulnerable to privilege esca

CVE-2015-0866 MEDIUM POC
4.3 Feb 02

Multiple cross-site scripting (XSS) vulnerabilities in Zoho ManageEngine SupportCenter Plus 7.9 before hotfix 7941 allow

CVE-2023-35785 HIGH
8.1 Aug 28

Zoho ManageEngine Active Directory 360 versions 4315 and below, ADAudit Plus 7202 and below, ADManager Plus 7200 and bel

CVE-2019-12133 HIGH
7.8 Jun 18

Multiple Zoho ManageEngine products suffer from local privilege escalation due to improper permissions for the %SYSTEMDR

CVE-2015-5150 LOW POC
3.5 Jun 30

Multiple cross-site scripting (XSS) vulnerabilities in Zoho ManageEngine SupportCenter Plus 7.90 allow remote authentica

CVE-2023-26601 HIGH
7.5 Mar 06

Zoho ManageEngine ServiceDesk Plus through 14104, Asset Explorer through 6987, ServiceDesk Plus MSP before 14000, and Su

Share

CVE-2023-23076 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy