CVSS: 7.2EPSS: 61%CPEs: 87EXPL: 3CVE-2020-14008 – ManageEngine Applications Manager 14700 - Remote Code Execution (Authenticated)
https://notcve.org/view.php?id=CVE-2020-14008
04 Sep 2020 — Zoho ManageEngine Applications Manager 14710 and before allows an authenticated admin user to upload a vulnerable jar in a specific location, which leads to remote code execution. Zoho ManageEngine Applications Manager versiones 14710 y anteriores, permite a un usuario administrador autenticado cargar un jar vulnerable en una ubicación específica, lo que conlleva a una ejecución de código remota • https://packetstorm.news/files/id/159066 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 5.3EPSS: 6%CPEs: 11EXPL: 1CVE-2019-19799
https://notcve.org/view.php?id=CVE-2019-19799
13 Mar 2020 — Zoho ManageEngine Applications Manager before 14600 allows a remote unauthenticated attacker to disclose license related information via WieldFeedServlet servlet. Zoho ManageEngine Applications Manager anterior a la versión 14600 permite que un atacante remoto no autenticado revele información relacionada con la licencia a través del servlet WieldFeedServlet. • https://gitlab.com/eLeN3Re/cve-2019-19799 • CWE-306: Missing Authentication for Critical Function •
CVSS: 9.8EPSS: 61%CPEs: 1EXPL: 0CVE-2019-19649
https://notcve.org/view.php?id=CVE-2019-19649
11 Dec 2019 — Zoho ManageEngine Applications Manager before 13620 allows a remote unauthenticated SQL injection via the SyncEventServlet eventid parameter to the SyncEventServlet.java doGet function. Zoho ManageEngine Applications Manager versiones anteriores a 13620, permite una inyección SQL no autenticada remota por medio del parámetro eventid de SyncEventServlet en la función doGet del archivo SyncEventServlet.java. • https://gitlab.com/eLeN3Re/CVE-2019-19649 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 7%CPEs: 1EXPL: 0CVE-2019-19650
https://notcve.org/view.php?id=CVE-2019-19650
11 Dec 2019 — Zoho ManageEngine Applications Manager before 13640 allows a remote authenticated SQL injection via the Agent servlet agentid parameter to the Agent.java process function. Zoho ManageEngine Applications Manager versiones anteriores a 13640, permite una inyección SQL autenticada remota por medio del parámetro Agentid del agente servlet en la función del proceso Agent.java. • https://gitlab.com/eLeN3Re/CVE-2019-19650 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.0EPSS: 2%CPEs: 1EXPL: 2CVE-2019-15104 – ManageEngine OpManager 12.4x - Privilege Escalation / Remote Command Execution
https://notcve.org/view.php?id=CVE-2019-15104
16 Aug 2019 — An issue was discovered in Zoho ManageEngine OpManager through 12.4x. There is a SQL Injection vulnerability in jsp/NewThresholdConfiguration.jsp via the resourceid parameter. Therefore, a low-authority user can gain the authority of SYSTEM on the server. One can consequently upload a malicious file using the "Execute Program Action(s)" feature. Se detectó un problema en Zoho ManageEngine OpManager versiones hasta 12.4x. • https://www.exploit-db.com/exploits/47227 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.0EPSS: 2%CPEs: 1EXPL: 2CVE-2019-15105 – ManageEngine Application Manager 14.2 - Privilege Escalation / Remote Command Execution
https://notcve.org/view.php?id=CVE-2019-15105
16 Aug 2019 — An issue was discovered in Zoho ManageEngine Application Manager through 14.2. There is a SQL Injection vulnerability in jsp/NewThresholdConfiguration.jsp via the resourceid parameter. Therefore, a low-authority user can gain the authority of SYSTEM on the server. One can consequently upload a malicious file using the "Execute Program Action(s)" feature. Se detectó un problema en Zoho ManageEngine Application Manager versiones hasta 14.2. • https://www.exploit-db.com/exploits/47228 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.3EPSS: 1%CPEs: 1EXPL: 1CVE-2017-11557
https://notcve.org/view.php?id=CVE-2017-11557
23 May 2019 — An issue was discovered in ZOHO ManageEngine Applications Manager 12.3. It is possible for an unauthenticated user to view the list of domain names and usernames used in a company's network environment via a userconfiguration.do?method=editUser request. Fue encontrado un problema en ZOHO ManageEngine Applications Manager versión 12.3. Es posible que un usuario no autenticado vea la lista de nombres de dominio y nombres de usuario utilizados en el entorno de red de una empresa por medio de una solicitud user... • http://applications.com • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.1EPSS: 1%CPEs: 1EXPL: 1CVE-2017-11738
https://notcve.org/view.php?id=CVE-2017-11738
23 May 2019 — In Zoho ManageEngine Application Manager prior to 14.6 Build 14660, the 'haid' parameter of the '/auditLogAction.do' module is vulnerable to a Time-based Blind SQL Injection attack. En Zoho ManageEngine Application Manager anterior a la version 14.6 Build 14660, el parámetro 'haid' del módulo '/auditLogAction.do' es vulnerable a un ataque de inyección SQL tipo time-based-blind • http://application.com • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 2%CPEs: 1EXPL: 1CVE-2017-11739
https://notcve.org/view.php?id=CVE-2017-11739
23 May 2019 — In Zoho ManageEngine Application Manager 13.1 Build 13100, an authenticated user, with administrative privileges, has the ability to add a widget on any dashboard. This widget can be a "Utility Widget" with a "Custom HTML or Text" field. Once this widget is created, it will be loaded on the dashboard where it was added. An attacker can abuse this functionality by creating a "Utility Widget" that contains malicious JavaScript code, aka XSS. En Zoho ManageEngine Application Manager 13.1 Build 13100, un usuari... • http://application.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 2%CPEs: 1EXPL: 1CVE-2017-11740
https://notcve.org/view.php?id=CVE-2017-11740
23 May 2019 — In Zoho ManageEngine Application Manager 13.1 Build 13100, the administrative user has the ability to upload files/binaries that can be executed upon the occurrence of an alarm. An attacker can abuse this functionality by uploading a malicious script that can be executed on the remote system. En Zoho ManageEngine Application Manager 13.1 Build 13100, el usuario administrativo tiene la capacidad para cargar archivos binarios que pueden ejecutarse cuando ocurre una alarma. Un atacante puede abusar de esta fun... • http://application.com • CWE-20: Improper Input Validation •