CVSS: 7.2EPSS: 61%CPEs: 87EXPL: 3CVE-2020-14008 – ManageEngine Applications Manager 14700 - Remote Code Execution (Authenticated)
https://notcve.org/view.php?id=CVE-2020-14008
04 Sep 2020 — Zoho ManageEngine Applications Manager 14710 and before allows an authenticated admin user to upload a vulnerable jar in a specific location, which leads to remote code execution. Zoho ManageEngine Applications Manager versiones 14710 y anteriores, permite a un usuario administrador autenticado cargar un jar vulnerable en una ubicación específica, lo que conlleva a una ejecución de código remota • https://packetstorm.news/files/id/159066 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 5.3EPSS: 23%CPEs: 11EXPL: 1CVE-2019-19799
https://notcve.org/view.php?id=CVE-2019-19799
13 Mar 2020 — Zoho ManageEngine Applications Manager before 14600 allows a remote unauthenticated attacker to disclose license related information via WieldFeedServlet servlet. Zoho ManageEngine Applications Manager anterior a la versión 14600 permite que un atacante remoto no autenticado revele información relacionada con la licencia a través del servlet WieldFeedServlet. • https://gitlab.com/eLeN3Re/cve-2019-19799 • CWE-306: Missing Authentication for Critical Function •
CVSS: 9.8EPSS: 61%CPEs: 1EXPL: 0CVE-2019-19649
https://notcve.org/view.php?id=CVE-2019-19649
11 Dec 2019 — Zoho ManageEngine Applications Manager before 13620 allows a remote unauthenticated SQL injection via the SyncEventServlet eventid parameter to the SyncEventServlet.java doGet function. Zoho ManageEngine Applications Manager versiones anteriores a 13620, permite una inyección SQL no autenticada remota por medio del parámetro eventid de SyncEventServlet en la función doGet del archivo SyncEventServlet.java. • https://gitlab.com/eLeN3Re/CVE-2019-19649 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 7%CPEs: 1EXPL: 0CVE-2019-19650
https://notcve.org/view.php?id=CVE-2019-19650
11 Dec 2019 — Zoho ManageEngine Applications Manager before 13640 allows a remote authenticated SQL injection via the Agent servlet agentid parameter to the Agent.java process function. Zoho ManageEngine Applications Manager versiones anteriores a 13640, permite una inyección SQL autenticada remota por medio del parámetro Agentid del agente servlet en la función del proceso Agent.java. • https://gitlab.com/eLeN3Re/CVE-2019-19650 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.0EPSS: 2%CPEs: 1EXPL: 2CVE-2019-15104 – ManageEngine OpManager 12.4x - Privilege Escalation / Remote Command Execution
https://notcve.org/view.php?id=CVE-2019-15104
16 Aug 2019 — An issue was discovered in Zoho ManageEngine OpManager through 12.4x. There is a SQL Injection vulnerability in jsp/NewThresholdConfiguration.jsp via the resourceid parameter. Therefore, a low-authority user can gain the authority of SYSTEM on the server. One can consequently upload a malicious file using the "Execute Program Action(s)" feature. Se detectó un problema en Zoho ManageEngine OpManager versiones hasta 12.4x. • https://www.exploit-db.com/exploits/47227 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.0EPSS: 2%CPEs: 1EXPL: 2CVE-2019-15105 – ManageEngine Application Manager 14.2 - Privilege Escalation / Remote Command Execution
https://notcve.org/view.php?id=CVE-2019-15105
16 Aug 2019 — An issue was discovered in Zoho ManageEngine Application Manager through 14.2. There is a SQL Injection vulnerability in jsp/NewThresholdConfiguration.jsp via the resourceid parameter. Therefore, a low-authority user can gain the authority of SYSTEM on the server. One can consequently upload a malicious file using the "Execute Program Action(s)" feature. Se detectó un problema en Zoho ManageEngine Application Manager versiones hasta 14.2. • https://www.exploit-db.com/exploits/47228 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.1EPSS: 1%CPEs: 1EXPL: 1CVE-2017-11738
https://notcve.org/view.php?id=CVE-2017-11738
23 May 2019 — In Zoho ManageEngine Application Manager prior to 14.6 Build 14660, the 'haid' parameter of the '/auditLogAction.do' module is vulnerable to a Time-based Blind SQL Injection attack. En Zoho ManageEngine Application Manager anterior a la version 14.6 Build 14660, el parámetro 'haid' del módulo '/auditLogAction.do' es vulnerable a un ataque de inyección SQL tipo time-based-blind • http://application.com • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 2%CPEs: 1EXPL: 1CVE-2017-11739
https://notcve.org/view.php?id=CVE-2017-11739
23 May 2019 — In Zoho ManageEngine Application Manager 13.1 Build 13100, an authenticated user, with administrative privileges, has the ability to add a widget on any dashboard. This widget can be a "Utility Widget" with a "Custom HTML or Text" field. Once this widget is created, it will be loaded on the dashboard where it was added. An attacker can abuse this functionality by creating a "Utility Widget" that contains malicious JavaScript code, aka XSS. En Zoho ManageEngine Application Manager 13.1 Build 13100, un usuari... • http://application.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 2%CPEs: 1EXPL: 1CVE-2017-11740
https://notcve.org/view.php?id=CVE-2017-11740
23 May 2019 — In Zoho ManageEngine Application Manager 13.1 Build 13100, the administrative user has the ability to upload files/binaries that can be executed upon the occurrence of an alarm. An attacker can abuse this functionality by uploading a malicious script that can be executed on the remote system. En Zoho ManageEngine Application Manager 13.1 Build 13100, el usuario administrativo tiene la capacidad para cargar archivos binarios que pueden ejecutarse cuando ocurre una alarma. Un atacante puede abusar de esta fun... • http://application.com • CWE-20: Improper Input Validation •
CVSS: 10.0EPSS: 7%CPEs: 1EXPL: 4CVE-2019-11469 – ManageEngine Applications Manager 14.0 - Authentication Bypass / Remote Command Execution
https://notcve.org/view.php?id=CVE-2019-11469
23 Apr 2019 — Zoho ManageEngine Applications Manager 12 through 14 allows FaultTemplateOptions.jsp resourceid SQL injection. Subsequently, an unauthenticated user can gain the authority of SYSTEM on the server by uploading a malicious file via the "Execute Program Action(s)" feature. Zoho ManageEngine Applications Manager, versiones desde 12 hasta 14, permite la inyección de SQL del resourceid FaultTemplateOptions.jsp. Posteriormente, un usuario no autenticado puede obtener la autoridad de SYSTEM en el servidor cargando ... • https://packetstorm.news/files/id/152607 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •