CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2016-4890
https://notcve.org/view.php?id=CVE-2016-4890
ZOHO ManageEngine ServiceDesk Plus before 9.2 uses an insecure method for generating cookies, which makes it easier for attackers to obtain sensitive password information by leveraging access to a cookie. ZOHO ManageEngine ServiceDesk Plus en versiones anteriores a 9.2 utiliza un método inseguro para generar cookies, lo que facilita a los atacantes la obtención de información confidencial de contraseñas aprovechando el acceso a una cookie. • http://jvn.jp/en/jp/JVN72559412/index.html http://jvndb.jvn.jp/en/contents/2016/JVNDB-2016-000171.html http://www.securityfocus.com/bid/93216 https://www.manageengine.com/products/service-desk/readme-9.2.html • CWE-254: 7PK - Security Features •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2016-4889
https://notcve.org/view.php?id=CVE-2016-4889
ZOHO ManageEngine ServiceDesk Plus before 9.0 allows remote authenticated guest users to have unspecified impact by leveraging failure to restrict access to unknown functions. ZOHO ManageEngine ServiceDesk Plus en versiones anteriores a 9.0 permite que los usuarios invitados autenticados remotos tengan un impacto no especificado al aprovechar el fallo para restringir el acceso a funciones desconocidas. • http://jvn.jp/en/jp/JVN89726415/index.html http://jvndb.jvn.jp/en/contents/2016/JVNDB-2016-000170.html http://www.securityfocus.com/bid/93215 https://www.manageengine.com/products/service-desk/readme-9.0.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2016-4888
https://notcve.org/view.php?id=CVE-2016-4888
Cross-site scripting (XSS) vulnerability in ZOHO ManageEngine ServiceDesk Plus before 9.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad XSS en ZOHO ManageEngine ServiceDesk Plus en versiones anteriores a 9.2 permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de vectores no especificados. • http://jvn.jp/en/jp/JVN50347324/index.html http://jvndb.jvn.jp/en/contents/2016/JVNDB-2016-000169.html http://www.securityfocus.com/bid/93214 https://www.manageengine.com/products/service-desk/readme-9.2.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.0EPSS: 75%CPEs: 1EXPL: 4CVE-2015-1480 – ManageEngine ServiceDesk Plus 9.0 < Build 9031 - User Privileges Management
https://notcve.org/view.php?id=CVE-2015-1480
ZOHO ManageEngine ServiceDesk Plus (SDP) before 9.0 build 9031 allows remote authenticated users to obtain sensitive ticket information via a (1) getTicketData action to servlet/AJaxServlet or a direct request to (2) swf/flashreport.swf, (3) reports/flash/details.jsp, or (4) reports/CreateReportTable.jsp. ZOHO ManageEngine ServiceDesk Plus (SDP) anterior a 9.0 build 9031 permite a usuarios remotos autenticados obtener información sensible sobre tickets a través de (1) una acción getTicketData en servlet/AJaxServlet o una solicitud directa a (2) swf/flashreport.swf, (3) reports/flash/details.jsp, o (4) reports/CreateReportTable.jsp. • https://www.exploit-db.com/exploits/35904 http://osvdb.org/show/osvdb/117499 http://packetstormsecurity.com/files/130081/ManageEngine-ServiceDesk-Plus-9.0-Privilege-Escalation.html http://www.exploit-db.com/exploits/35904 http://www.manageengine.com/products/service-desk/readme-9.0.html http://www.rewterz.com/vulnerabilities/manageengine-servicedesk-plus-user-privileges-management-vulnerability http://www.securityfocus.com/archive/1/534538/100/0/threaded http://www.securityfocus.com/bid/72302 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 5CVE-2015-1479 – ManageEngine ServiceDesk Plus 9.0 - SQL Injection
https://notcve.org/view.php?id=CVE-2015-1479
SQL injection vulnerability in reports/CreateReportTable.jsp in ZOHO ManageEngine ServiceDesk Plus (SDP) before 9.0 build 9031 allows remote authenticated users to execute arbitrary SQL commands via the site parameter. Vulnerabilidad de inyección SQL en reports/CreateReportTable.jsp en ZOHO ManageEngine ServiceDesk Plus (SDP) anterior a 9.0 build 9031 permite a usuarios remotos autenticados ejecutar comandos SQL arbitrarios a través del parámetro site. • https://www.exploit-db.com/exploits/35890 http://packetstormsecurity.com/files/130079/ManageEngine-ServiceDesk-9.0-SQL-Injection.html http://www.exploit-db.com/exploits/35890 http://www.manageengine.com/products/service-desk/readme-9.0.html http://www.rewterz.com/vulnerabilities/manageengine-servicedesk-sql-injection-vulnerability http://www.securityfocus.com/bid/72299 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •