CVSS: 8.0EPSS: 0%CPEs: 1EXPL: 0CVE-2016-1161
https://notcve.org/view.php?id=CVE-2016-1161
Cross-site request forgery (CSRF) vulnerability in ManageEngine Password Manager Pro before 8.5 (Build 8500). Vulnerabilidad CSRF ManageEngine Password Manager Pro en versiones anteriores a 8.5 (Build 8500). • http://jvn.jp/en/vu/JVNVU95113461 http://www.securityfocus.com/bid/91531 https://www.excellium-services.com/cert-xlm-advisory/cve-2016-1161 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.4EPSS: 1%CPEs: 1EXPL: 0CVE-2014-9372 – ManageEngine Password Manager Pro UploadAccountActivities filename Directory Traversal Denial of Service Vulnerability
https://notcve.org/view.php?id=CVE-2014-9372
Directory traversal vulnerability in the UploadAccountActivities servlet in ManageEngine Password Manager Pro (PMP) before 7103 allows remote attackers to delete arbitrary files via a .. (dot dot) in a filename. Vulnerabilidad de salto de directorio en el servlet UploadAccountActivities en ManageEngine Password Manager Pro (PMP) anterior a 7103 permite a atacantes remotos eliminar ficheros arbitrarios a través de un .. (punto punto) en el nombre del fichero. This vulnerability allows remote attackers to create a denial of service condition on vulnerable installations of ManageEngine Password Manager Pro. • http://www.manageengine.com/products/passwordmanagerpro/release-notes.html http://www.zerodayinitiative.com/advisories/ZDI-14-421 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.5EPSS: 1%CPEs: 2EXPL: 4CVE-2014-8499 – Password Manager Pro / Pro MSP - Blind SQL Injection
https://notcve.org/view.php?id=CVE-2014-8499
Multiple SQL injection vulnerabilities in ManageEngine Password Manager Pro (PMP) and Password Manager Pro Managed Service Providers (MSP) edition before 7.1 build 7105 allow remote authenticated users to execute arbitrary SQL commands via the SEARCH_ALL parameter to (1) SQLAdvancedALSearchResult.cc or (2) AdvancedSearchResult.cc. Múltiples vulnerabilidades de inyección SQL en ManageEngine Password Manager Pro (PMP) y Password Manager Pro Managed Service Providers (MSP) edition anterior a 7.1 build 7105 permite a usuarios remotos autenticados ejecutar código arbitrario SQL a través del parámetro SEARCH_ALL en (1) SQLAdvancedALSearchResult.cc o (2) AdvancedSearchResult.cc. Password Manager Pro versions prior to 7.1 build 7105 suffer from multiple remote SQL injection vulnerabilities. • https://www.exploit-db.com/exploits/35210 http://osvdb.org/show/osvdb/114484 http://osvdb.org/show/osvdb/114485 http://packetstormsecurity.com/files/129036/Password-Manager-Pro-SQL-Injection.html http://seclists.org/fulldisclosure/2014/Nov/18 http://www.exploit-db.com/exploits/35210 http://www.securityfocus.com/bid/71018 https://exchange.xforce.ibmcloud.com/vulnerabilities/98595 https://exchange.xforce.ibmcloud.com/vulnerabilities/98597 https://raw.githubusercontent.com/pedrib/PoC/master&# • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 93%CPEs: 6EXPL: 6CVE-2014-3996 – ManageEngine Password Manager - MetadataServlet.dat SQL Injection
https://notcve.org/view.php?id=CVE-2014-3996
SQL injection vulnerability in the LinkViewFetchServlet servlet in ManageEngine Desktop Central (DC) and Desktop Central Managed Service Providers (MSP) edition before 9 build 90043, Password Manager Pro (PMP) and Password Manager Pro Managed Service Providers (MSP) edition before 7 build 7003, IT360 and IT360 Managed Service Providers (MSP) edition before 10.3.3 build 10330, and possibly other ManageEngine products, allows remote attackers or remote authenticated users to execute arbitrary SQL commands via the sv parameter to LinkViewFetchServlet.dat. Vulnerabilidad de inyección SQL en el servlet LinkViewFetchServlet en la edición ManageEngine Desktop Central (DC) y Desktop Central Managed Service Providers (MSP) anterior a 9 build 90043, la edición Password Manager Pro (PMP) y Password Manager Pro Managed Service Providers (MSP) anterior a 7 build 7003, la edición IT360 y IT360 Managed Service Providers (MSP) anterior a 10.3.3 build 10330, y posiblemente otros productos ManageEngine, permite a atacantes remotos o usuarios remotos autenticados ejecutar comandos SQL arbitrarios a través del parámetro sv en LinkViewFetchServlet.dat. • https://www.exploit-db.com/exploits/34409 http://packetstormsecurity.com/files/127973/ManageEngine-Password-Manager-MetadataServlet.dat-SQL-Injection.html http://seclists.org/fulldisclosure/2014/Aug/55 http://seclists.org/fulldisclosure/2014/Aug/85 http://www.securityfocus.com/bid/69305 https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_dc_pmp_it360_sqli.txt https://raw.githubusercontent.com/pedrib/PoC/master/msf_modules/manageengine_dc_pmp_sqli.rb • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.3EPSS: 0%CPEs: 12EXPL: 1CVE-2009-4387
https://notcve.org/view.php?id=CVE-2009-4387
The cross-site scripting (XSS) protection mechanism in ShowInContentAreaAction.do in ManageEngine Password Manager Pro (PMP) before 6.1 Build 6104 uses case-sensitive checks for malicious inputs, which allows remote attackers to inject arbitrary web script or HTML via the searchtext parameter and other unspecified inputs. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en ShowInContentAreaAction.do en ManageEngine Password Manager Pro (PMP) en versiónes anteriores a v6.1 Build 6104 utiliza comprobación del uso de mayúsculas/minúsculas para entradas maliciosas, lo que permite a atacantes remotos inyectar secuencias de comandos web o HTML de forma arbitraria a través del parámetro "searchtext" y otras entradas sin especificar. • http://forums.manageengine.com/#Topic/49000003740390 http://secunia.com/advisories/37765 http://www.manageengine.com/products/passwordmanagerpro/release-notes.html http://www.scip.ch/?vuldb.4063 http://www.scip.ch/publikationen/advisories/scip_advisory-4063_manageengine_pmp_script_injection.txt http://www.securityfocus.com/bid/37336 http://www.vupen.com/english/advisories/2009/3540 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •