CVE-2018-20664
published 2019-01-03CVE-2018-20664: Zoho ManageEngine ADSelfService Plus 5.x before build 5701 has XXE via an uploaded product license.
PriorityP350critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
8.05%
94.1th percentile
Zoho ManageEngine ADSelfService Plus 5.x before build 5701 has XXE via an uploaded product license.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zohocorp | manageengine_adselfservice_plus | — | — |
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_redhat8.1HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8qm5-3h3p-rc62: Zoho ManageEngine ADSelfService Plus 5
ghsa_unreviewed·2022-05-14
CVE-2018-20664 [CRITICAL] CWE-611 GHSA-8qm5-3h3p-rc62: Zoho ManageEngine ADSelfService Plus 5
Zoho ManageEngine ADSelfService Plus 5.x before build 5701 has XXE via an uploaded product license.
GHSA
Race condition in org.apache.hbase:hbase-thrift
ghsa·2018-10-18
CVE-2018-8025 [HIGH] CWE-362 Race condition in org.apache.hbase:hbase-thrift
Race condition in org.apache.hbase:hbase-thrift
An issue in Apache HBase affects the optional "Thrift 1" API server when running over HTTP. There is a race-condition which could lead to authenticated sessions being incorrectly applied to users, e.g. one authenticated user would be considered a different user or an unauthenticated user would be treated as an authenticated user. https://issues.apache.org/jira/browse/HBASE-20664 implements a fix for this issue. It has been fixed in versions: 1.2.6.1, 1.3.2.1, 1.4.5, 2.0.1.
Red Hat
hbase: race-condition in "Thrift 1" API server
vendor_redhat·2018-05-31·CVSS 8.1
CVE-2018-8025 [HIGH] CWE-362 hbase: race-condition in "Thrift 1" API server
hbase: race-condition in "Thrift 1" API server
CVE-2018-8025 describes an issue in Apache HBase that affects the optional "Thrift 1" API server when running over HTTP. There is a race-condition which could lead to authenticated sessions being incorrectly applied to users, e.g. one authenticated user would be considered a different user or an unauthenticated user would be treated as an authenticated user. https://issues.apache.org/jira/browse/HBASE-20664 implements a fix for this issue. It has been fixed in versions: 1.2.6.1, 1.3.2.1, 1.4.5, 2.0.1.
Package: camel-hbase (Red Hat Fuse 7) - Not affected
Package: camel-hbase (Red Hat JBoss Fuse 6) - Not affected
Package: camel-hbase (Red Hat JBoss Fuse Service Works 6) - Not affected
No detection rules found.
No public exploits indexed.
https://www.excellium-services.com/cert-xlm-advisory/cve-2018-20664/https://www.manageengine.com/products/self-service-password/release-notes.html#5701https://www.excellium-services.com/cert-xlm-advisory/cve-2018-20664/https://www.manageengine.com/products/self-service-password/release-notes.html#5701
2019-01-03
Published