Alain Homewood

**Name of the Vulnerable Software and Affected Versions** Trend Micro Smart Protection Server versions 3.3 and below **Description** A server auth command injection authentication bypass issue could allow remote attackers to escalate privileges on vulnerable installations. **Recommendations** For versions 3.3 and below, update to a version above 3.3 to resolve the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Lepide Active Directory Self Service (affected versions not specified) **Description** The issue is related to errors in the implementation of the password reset functionality in Lepide Active Directory Self Service. This allows remote authenticated users to change arbitrary domain user passwords via a crafted request. The exploitation of this issue may enable an attacker to modify passwords of arbitrary users using a specially crafted request. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Zoho ManageEngine SupportCenter Plus version 7.90 **Description** A directory traversal issue exists, allowing remote authenticated users to write to arbitrary files. This is achieved by including a .. (dot dot) in the `component` parameter in the Request component to "workorder/Attachment.jsp" API endpoint. **Recommendations** For Zoho ManageEngine SupportCenter Plus version 7.90, consider restricting access to the "workorder/Attachment.jsp" endpoint until a patch is available. As a temporary workaround, avoid using the `component` parameter in the Request component to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Zoho ManageEngine SupportCenter Plus version 7.90 **Description** The issue allows remote authenticated users to inject arbitrary web script or HTML. This can be achieved via the query parameter in the "run query editor query" module to "CustomReportHandler.do", the `compAcct` parameter to "jsp/ResetADPwd.jsp", or the `redirectTo` parameter to "jsp/CacheScreenWidth.jsp". **Recommendations** For Zoho ManageEngine SupportCenter Plus version 7.90, consider disabling access to the "run query editor query" module, restricting the use of the `compAcct` parameter in "jsp/ResetADPwd.jsp", and limiting access to the `redirectTo` parameter in "jsp/CacheScreenWidth.jsp" until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Zoho ManageEngine AssetExplorer versions 6.1 service pack 6112 and earlier **Description** A cross-site scripting (XSS) issue allows remote authenticated users with permissions to add new vendors to inject arbitrary web script or HTML via the `organizationName` parameter to "VendorDef.do". **Recommendations** For versions 6.1 service pack 6112 and earlier, avoid using the `organizationName` parameter in the "VendorDef.do" endpoint until the issue is resolved. Restrict access to the "VendorDef.do" endpoint to minimize the risk of exploitation.