CVSS: 8.8EPSS: 0%CPEs: 71EXPL: 0CVE-2022-40772 – ManageEngine ServiceDesk Plus MSP generateSQLReport Improper Input Validation Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2022-40772
Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulnerable to a validation bypass that allows users to access sensitive data via the report module. Las versiones 13010 y anteriores de Zoho ManageEngine ServiceDesk Plus son vulnerables a una omisión de validación que permite a los usuarios acceder a datos confidenciales a través del módulo de informes. This vulnerability allows remote attackers to escalate privileges on affected installations of ManageEngine ServiceDesk Plus MSP. Authentication is required to exploit this vulnerability. The specific flaw exists within the generateSQLReport function. The issue results from the lack of proper validation of a user-supplied data. • https://manageengine.com https://www.manageengine.com/products/service-desk/CVE-2022-40772.html •
CVSS: 5.5EPSS: 0%CPEs: 64EXPL: 0CVE-2022-40771 – ManageEngine ServiceDesk Plus getAsDoc XML External Entity Processing Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2022-40771
Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulnerable to an XML External Entity attack that leads to Information Disclosure. Las versiones 13010 y anteriores de Zoho ManageEngine ServiceDesk Plus son vulnerables a un ataque de Entidad Externa XML (XXE) que conduce a la divulgación de información. This vulnerability allows remote attackers to disclose sensitive information on affected installations of ManageEngine ServiceDesk Plus. Authentication is required to exploit this vulnerability. The specific flaw exists within the getAsDoc function. Due to the improper restriction of XML External Entity (XXE) references, a crafted document specifying a URI causes the XML parser to access the URI and embed the contents back into the XML document for further processing. • https://manageengine.com https://www.manageengine.com/products/service-desk/CVE-2022-40771.html • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 7.5EPSS: 0%CPEs: 65EXPL: 0CVE-2022-35403
https://notcve.org/view.php?id=CVE-2022-35403
Zoho ManageEngine ServiceDesk Plus before 13008, ServiceDesk Plus MSP before 10606, and SupportCenter Plus before 11022 are affected by an unauthenticated local file disclosure vulnerability via ticket-creation email. (This also affects Asset Explorer before 6977 with authentication.) Zoho ManageEngine ServiceDesk Plus versiones anteriores a 13008, ServiceDesk Plus MSP versiones anteriores a 10606 y SupportCenter Plus versiones anteriores a 11022 están afectados por una vulnerabilidad de divulgación de archivos locales sin autenticación por medio del correo electrónico de creación de tickets. (Esto también afecta a Asset Explorer versiones anteriores a 6977 con autenticación) • https://www.manageengine.com/products/service-desk/cve-2022-35403.html •
CVSS: 7.2EPSS: 7%CPEs: 1EXPL: 2CVE-2019-19034 – ManageEngine AssetExplorer Authenticated Command Execution
https://notcve.org/view.php?id=CVE-2019-19034
Zoho ManageEngine Asset Explorer 6.5 does not validate the System Center Configuration Manager (SCCM) database username when dynamically generating a command to schedule scans for SCCM. This allows an attacker to execute arbitrary commands on the AssetExplorer Server with NT AUTHORITY/SYSTEM privileges. Zoho ManageEngine Asset Explorer versión 6.5, no comprueba el nombre de usuario de la base de datos de System Center Configuration Manager (SCCM) cuando genera dinámicamente un comando para programar escaneos para SCCM. Esto permite a un atacante ejecutar comandos arbitrarios en el servidor AssetExplorer con privilegios NT AUTHORITY/SYSTEM. ManageEngine AssetExplorer versions prior to 6.5 (6503) suffer from an authenticated remote command execution vulnerability. • http://packetstormsecurity.com/files/157731/ManageEngine-AssetExplorer-Authenticated-Command-Execution.html http://seclists.org/fulldisclosure/2020/May/36 https://www.manageengine.com/products/asset-explorer/sp-readme.html • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 2CVE-2020-8838 – ManageEngine Asset Explorer Windows Agent Remote Code Execution
https://notcve.org/view.php?id=CVE-2020-8838
An issue was discovered in Zoho ManageEngine AssetExplorer 6.5. During an upgrade of the Windows agent, it does not validate the source and binary downloaded. This allows an attacker on an adjacent network to execute code with NT AUTHORITY/SYSTEM privileges on the agent machines by providing an arbitrary executable via a man-in-the-middle attack. Se detectó un problema en Zoho ManageEngine AssetExplorer versión 6.5. Durante una actualización del agente de Windows, no comprueba la fuente y el binario descargado. • http://packetstormsecurity.com/files/157612/ManageEngine-Asset-Explorer-Windows-Agent-Remote-Code-Execution.html http://seclists.org/fulldisclosure/2020/May/29 https://www.manageengine.com/products/asset-explorer/sp-readme.html • CWE-354: Improper Validation of Integrity Check Value •