CVSS: 9.8EPSS: 31%CPEs: 89EXPL: 0CVE-2020-15394
https://notcve.org/view.php?id=CVE-2020-15394
25 Sep 2020 — The REST API in Zoho ManageEngine Applications Manager before build 14740 allows an unauthenticated SQL Injection via a crafted request, leading to Remote Code Execution. La API REST en Zoho ManageEngine Applications Manager versiones anteriores a build 14740, permite una inyección SQL no autenticada por medio de una petición diseñada, conllevando a una ejecución de código remota • https://www.manageengine.com • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 7%CPEs: 88EXPL: 0CVE-2020-15521
https://notcve.org/view.php?id=CVE-2020-15521
25 Sep 2020 — Zoho ManageEngine Applications Manager before 14 build 14730 has no protection against jsp/header.jsp Cross-site Scripting (XSS) . Zoho ManageEngine Applications Manager versiones anteriores a 14 build 14730, no presenta protección contra un Cross-site Scripting (XSS) del archivo jsp/header.jsp • https://www.manageengine.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 61%CPEs: 87EXPL: 3CVE-2020-14008 – ManageEngine Applications Manager 14700 - Remote Code Execution (Authenticated)
https://notcve.org/view.php?id=CVE-2020-14008
04 Sep 2020 — Zoho ManageEngine Applications Manager 14710 and before allows an authenticated admin user to upload a vulnerable jar in a specific location, which leads to remote code execution. Zoho ManageEngine Applications Manager versiones 14710 y anteriores, permite a un usuario administrador autenticado cargar un jar vulnerable en una ubicación específica, lo que conlleva a una ejecución de código remota • https://packetstorm.news/files/id/159066 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 5.3EPSS: 23%CPEs: 11EXPL: 1CVE-2019-19799
https://notcve.org/view.php?id=CVE-2019-19799
13 Mar 2020 — Zoho ManageEngine Applications Manager before 14600 allows a remote unauthenticated attacker to disclose license related information via WieldFeedServlet servlet. Zoho ManageEngine Applications Manager anterior a la versión 14600 permite que un atacante remoto no autenticado revele información relacionada con la licencia a través del servlet WieldFeedServlet. • https://gitlab.com/eLeN3Re/cve-2019-19799 • CWE-306: Missing Authentication for Critical Function •
CVSS: 5.3EPSS: 36%CPEs: 61EXPL: 0CVE-2019-19800
https://notcve.org/view.php?id=CVE-2019-19800
06 Feb 2020 — Zoho ManageEngine Applications Manager 14 before 14520 allows a remote unauthenticated attacker to disclose OS file names via FailOverHelperServlet. Zoho ManageEngine Applications Manager 14 versiones anteriores a 14520, permite a un atacante remoto no autenticado revelar nombres de archivos del Sistema Operativo por medio de FailOverHelperServlet. • https://gitlab.com/eLeN3Re/CVE-2019-19800 • CWE-306: Missing Authentication for Critical Function •
CVSS: 9.8EPSS: 61%CPEs: 1EXPL: 0CVE-2019-19649
https://notcve.org/view.php?id=CVE-2019-19649
11 Dec 2019 — Zoho ManageEngine Applications Manager before 13620 allows a remote unauthenticated SQL injection via the SyncEventServlet eventid parameter to the SyncEventServlet.java doGet function. Zoho ManageEngine Applications Manager versiones anteriores a 13620, permite una inyección SQL no autenticada remota por medio del parámetro eventid de SyncEventServlet en la función doGet del archivo SyncEventServlet.java. • https://gitlab.com/eLeN3Re/CVE-2019-19649 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 7%CPEs: 1EXPL: 0CVE-2019-19650
https://notcve.org/view.php?id=CVE-2019-19650
11 Dec 2019 — Zoho ManageEngine Applications Manager before 13640 allows a remote authenticated SQL injection via the Agent servlet agentid parameter to the Agent.java process function. Zoho ManageEngine Applications Manager versiones anteriores a 13640, permite una inyección SQL autenticada remota por medio del parámetro Agentid del agente servlet en la función del proceso Agent.java. • https://gitlab.com/eLeN3Re/CVE-2019-19650 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.0EPSS: 2%CPEs: 1EXPL: 2CVE-2019-15104 – ManageEngine OpManager 12.4x - Privilege Escalation / Remote Command Execution
https://notcve.org/view.php?id=CVE-2019-15104
16 Aug 2019 — An issue was discovered in Zoho ManageEngine OpManager through 12.4x. There is a SQL Injection vulnerability in jsp/NewThresholdConfiguration.jsp via the resourceid parameter. Therefore, a low-authority user can gain the authority of SYSTEM on the server. One can consequently upload a malicious file using the "Execute Program Action(s)" feature. Se detectó un problema en Zoho ManageEngine OpManager versiones hasta 12.4x. • https://www.exploit-db.com/exploits/47227 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.0EPSS: 2%CPEs: 1EXPL: 2CVE-2019-15105 – ManageEngine Application Manager 14.2 - Privilege Escalation / Remote Command Execution
https://notcve.org/view.php?id=CVE-2019-15105
16 Aug 2019 — An issue was discovered in Zoho ManageEngine Application Manager through 14.2. There is a SQL Injection vulnerability in jsp/NewThresholdConfiguration.jsp via the resourceid parameter. Therefore, a low-authority user can gain the authority of SYSTEM on the server. One can consequently upload a malicious file using the "Execute Program Action(s)" feature. Se detectó un problema en Zoho ManageEngine Application Manager versiones hasta 14.2. • https://www.exploit-db.com/exploits/47228 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.3EPSS: 1%CPEs: 1EXPL: 1CVE-2017-11557
https://notcve.org/view.php?id=CVE-2017-11557
23 May 2019 — An issue was discovered in ZOHO ManageEngine Applications Manager 12.3. It is possible for an unauthenticated user to view the list of domain names and usernames used in a company's network environment via a userconfiguration.do?method=editUser request. Fue encontrado un problema en ZOHO ManageEngine Applications Manager versión 12.3. Es posible que un usuario no autenticado vea la lista de nombres de dominio y nombres de usuario utilizados en el entorno de red de una empresa por medio de una solicitud user... • http://applications.com • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •