PT-2023-7422 · Manageengine · Zoho Manageengine Admanager Plus

Simon Humbert

Published

2023-01-12

Updated

2025-03-17

CVE-2023-29084

CVSS v2.0

8.3

High

Vector

AV:N/AC:L/Au:M/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions ManageEngine ADManager Plus versions prior to 7181

Description The issue allows for authenticated users to exploit command injection via Proxy settings. This is due to the lack of neutralization of special elements used in the operating system command. Exploitation of the issue may allow a remote attacker to execute arbitrary code.

Recommendations For versions prior to 7181, update to version 7181 or later to resolve the command injection issue in the Proxy settings. As a temporary workaround, consider restricting access to the Proxy settings until a patch is available.

Exploit

Fix

OS Command Injection

Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78CWE-77

Related Identifiers

BDU:2023-08459

CVE-2023-29084

ZDI-23-438

Affected Products

Zoho Manageengine Admanager Plus

PT-2023-7422 · Manageengine · Zoho Manageengine Admanager Plus

CVE-2023-29084

Weakness Enumeration

Related Identifiers

Affected Products

References · 19