CVSS: 9.1EPSS: 0%CPEs: 2EXPL: 0CVE-2021-44757
https://notcve.org/view.php?id=CVE-2021-44757
Zoho ManageEngine Desktop Central before 10.1.2137.9 and Desktop Central MSP before 10.1.2137.9 allow attackers to bypass authentication, and read sensitive information or upload an arbitrary ZIP archive to the server. Zoho ManageEngine Desktop Central versiones anteriores a 10.1.2137.9 y Desktop Central MSP versiones anteriores a 10.1.2137.9, permiten a atacantes omitir la autenticación y leer información confidencial o cargar un archivo ZIP arbitrario en el servidor • https://pitstop.manageengine.com/portal/en/community/topic/a-critical-security-patch-released-in-desktop-central-and-desktop-central-msp-for-cve-2021-44757-17-1-2022 •
CVSS: 10.0EPSS: 2%CPEs: 2EXPL: 4CVE-2014-5007 – ManageEngine Desktop Central - Arbitrary File Upload / Remote Code Execution
https://notcve.org/view.php?id=CVE-2014-5007
Directory traversal vulnerability in the agentLogUploader servlet in ZOHO ManageEngine Desktop Central (DC) and Desktop Central Managed Service Providers (MSP) edition before 9 build 90055 allows remote attackers to write to and execute arbitrary files as SYSTEM via a .. (dot dot) in the filename parameter. Una vulnerabilidad de salto de directorio en el servlet agentLogUploader en ZOHO ManageEngine Desktop Central (DC) y Desktop Central Managed Service Providers (MSP) edición anterior a 9 build 90055, permite a atacantes remotos escribir y ejecutar archivos arbitrarios como SYSTEM por medio de un .. (punto punto) en el parámetro filename. ManageEngine Desktop Central suffers from code execution and remote shell upload vulnerabilities. • https://www.exploit-db.com/exploits/34518 https://www.exploit-db.com/exploits/29674 https://www.exploit-db.com/exploits/29812 http://seclists.org/fulldisclosure/2014/Aug/88 https://www.manageengine.com/products/desktop-central/remote-code-execution.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •