CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 2CVE-2019-10008 – Manage Engine ServiceDesk Plus 10.0 - Privilege Escalation
https://notcve.org/view.php?id=CVE-2019-10008
Zoho ManageEngine ServiceDesk 9.3 allows session hijacking and privilege escalation because an established guest session is automatically converted into an established administrator session when the guest user enters the administrator username, with an arbitrary incorrect password, in an mc/ login attempt within a different browser tab. Zoho ManageEngine ServiceDesk versión 9.3 permite el secuestro de sesión y la escalada de privilegios porque una sesión de invitado establecida se convierte automáticamente en una sesión de administrador establecida cuando el usuario invitado ingresa el nombre de usuario del administrador, con un contraseña incorrecta arbitraria, en un intento mc/login dentro de una pestaña diferente del navegador. • https://www.exploit-db.com/exploits/46659 https://github.com/ignis-sec/CVE-2019-10008 https://www.manageengine.com/products/service-desk/readme.html • CWE-384: Session Fixation •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2016-4890
https://notcve.org/view.php?id=CVE-2016-4890
ZOHO ManageEngine ServiceDesk Plus before 9.2 uses an insecure method for generating cookies, which makes it easier for attackers to obtain sensitive password information by leveraging access to a cookie. ZOHO ManageEngine ServiceDesk Plus en versiones anteriores a 9.2 utiliza un método inseguro para generar cookies, lo que facilita a los atacantes la obtención de información confidencial de contraseñas aprovechando el acceso a una cookie. • http://jvn.jp/en/jp/JVN72559412/index.html http://jvndb.jvn.jp/en/contents/2016/JVNDB-2016-000171.html http://www.securityfocus.com/bid/93216 https://www.manageengine.com/products/service-desk/readme-9.2.html • CWE-254: 7PK - Security Features •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2016-4889
https://notcve.org/view.php?id=CVE-2016-4889
ZOHO ManageEngine ServiceDesk Plus before 9.0 allows remote authenticated guest users to have unspecified impact by leveraging failure to restrict access to unknown functions. ZOHO ManageEngine ServiceDesk Plus en versiones anteriores a 9.0 permite que los usuarios invitados autenticados remotos tengan un impacto no especificado al aprovechar el fallo para restringir el acceso a funciones desconocidas. • http://jvn.jp/en/jp/JVN89726415/index.html http://jvndb.jvn.jp/en/contents/2016/JVNDB-2016-000170.html http://www.securityfocus.com/bid/93215 https://www.manageengine.com/products/service-desk/readme-9.0.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2016-4888
https://notcve.org/view.php?id=CVE-2016-4888
Cross-site scripting (XSS) vulnerability in ZOHO ManageEngine ServiceDesk Plus before 9.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad XSS en ZOHO ManageEngine ServiceDesk Plus en versiones anteriores a 9.2 permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de vectores no especificados. • http://jvn.jp/en/jp/JVN50347324/index.html http://jvndb.jvn.jp/en/contents/2016/JVNDB-2016-000169.html http://www.securityfocus.com/bid/93214 https://www.manageengine.com/products/service-desk/readme-9.2.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.0EPSS: 75%CPEs: 1EXPL: 4CVE-2015-1480 – ManageEngine ServiceDesk Plus 9.0 < Build 9031 - User Privileges Management
https://notcve.org/view.php?id=CVE-2015-1480
ZOHO ManageEngine ServiceDesk Plus (SDP) before 9.0 build 9031 allows remote authenticated users to obtain sensitive ticket information via a (1) getTicketData action to servlet/AJaxServlet or a direct request to (2) swf/flashreport.swf, (3) reports/flash/details.jsp, or (4) reports/CreateReportTable.jsp. ZOHO ManageEngine ServiceDesk Plus (SDP) anterior a 9.0 build 9031 permite a usuarios remotos autenticados obtener información sensible sobre tickets a través de (1) una acción getTicketData en servlet/AJaxServlet o una solicitud directa a (2) swf/flashreport.swf, (3) reports/flash/details.jsp, o (4) reports/CreateReportTable.jsp. • https://www.exploit-db.com/exploits/35904 http://osvdb.org/show/osvdb/117499 http://packetstormsecurity.com/files/130081/ManageEngine-ServiceDesk-Plus-9.0-Privilege-Escalation.html http://www.exploit-db.com/exploits/35904 http://www.manageengine.com/products/service-desk/readme-9.0.html http://www.rewterz.com/vulnerabilities/manageengine-servicedesk-plus-user-privileges-management-vulnerability http://www.securityfocus.com/archive/1/534538/100/0/threaded http://www.securityfocus.com/bid/72302 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •