Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-29505: CVE-2023-29505 - Excellium Services

An issue was discovered in Zoho ManageEngine Network Configuration Manager 12.6.165. The WebSocket endpoint allows Cross-site WebSocket hijacking.

CVE
Open in Source
#vulnerability#web#auth

Abstract Advisory Information

An endpoint of the application is prone to a Cross-site WebSocket hijacking attack.

Author: Dominique Righetto

Version affected

Name: Network Configuration Manager

Versions: 12.6.165

Common Vulnerability Scoring System

4.3

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

Patch

OpManager v12.7

Build No 127133 – August 2, 2023

References

  • https://www.manageengine.com/network-monitoring/help/read-me-complete.html#build_127131

Vulnerability Disclosure Timeline

    • 26/12/2022: Vulnerability discovery
    • 03/01/2023: Vulnerability Report to CERT-XLM
    • 06/01/2023: Vulnerability Report to Zoho through form
    • 06/01/2023: Vulnerability Report by Zoho ID ZVE-2023-0115.
    • 06/02/2023: POC Shared with Zoho
    • 09/02/2023: Changed Service from Network Configuration Manager to OpManager.
    • 21/02/2023: Zoho is working on it
    • 10/03/2023: Update asked to Zoho
    • 14/03/2023: Zoho needs more informations
    • 15/03/2023: POC sent to Zoho
    • 30/03/2023: Confirmation from Zoho that the bug is being fixed
    • 11/04/2023: CVE IDs assigned use CVE-2023-29505
    • 14/04/2023: Update asked to Zoho
    • 25/04/2023: Update asked to Zoho
    • 08/05/2023: Update asked to Zoho
    • 23/05/2023: Zoho updated their CVE ID
    • 24/05/2023: Update asked to Zoho
    • 13/06/2023: Update asked to Zoho
    • 13/06/2023: Zoho replied, fix is mid-July
    • 11/07/2023: Update asked to Zoho
    • 12/07/2023: Zoho gave a reward
    • 18/07/2023: Ask for fix number
    • 01/08/2023: Ask for update to Zoho
    • 02/08/2023: Patch number given from Zoho
    • 03/08/2023: Expected vulnerability disclosure

Our website uses cookies technologies to assist with navigation and your ability to provide feedback, analyze your use of our products and services, to enable you to use the social media functionalities and assist with our promotional and marketing efforts, and provide content from third parties. You may choose to opt-out from all non-essential cookies or allow them for a better browsing experience.
For more information on the use of cookies, Please check our Privacy Notice ACCEPT REJECT SETTINGS

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE