CVSS: 6.1EPSS: 1%CPEs: 2EXPL: 1CVE-2017-11686
https://notcve.org/view.php?id=CVE-2017-11686
27 Jul 2017 — Zoho ManageEngine Event Log Analyzer 11.4 and 11.5 allows remote attackers to obtain an authenticated user's password via XSS vulnerabilities or sniffing non-SSL traffic on the network, because the password is represented in a cookie with a reversible encoding method. Zoho ManageEngine Event Log Analyzer versiones 11.4 y 11.5, permite a los atacantes remotos obtener la contraseña de un usuario autenticado por medio de vulnerabilidades XSS o espiando el tráfico no SSL en la red, porque la contraseña se repre... • http://init6.me/exploiting-manageengine-eventlog-analyzer.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 1CVE-2017-11687
https://notcve.org/view.php?id=CVE-2017-11687
27 Jul 2017 — Multiple Persistent cross-site scripting (XSS) vulnerabilities in Event log parsing and Display functions in Zoho ManageEngine Event Log Analyzer 11.4 and 11.5 allow remote attackers to inject arbitrary web script or HTML via syslog. Múltiples vulnerabilidades de tipo cross-site-scripting (XSS) persistentes en las funciones de visualización y análisis de registro de eventos en Zoho ManageEngine Event Log Analyzer versiones 11.4 y 11.5, permiten a los atacantes remotos inyectar scripts web o HTML arbitrarios... • http://init6.me/exploiting-manageengine-eventlog-analyzer.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.1EPSS: 82%CPEs: 1EXPL: 5CVE-2015-7387 – ManageEngine EventLog Analyzer < 10.6 build 10060 - SQL Execution
https://notcve.org/view.php?id=CVE-2015-7387
28 Sep 2015 — ZOHO ManageEngine EventLog Analyzer 10.6 build 10060 and earlier allows remote attackers to bypass intended restrictions and execute arbitrary SQL commands via an allowed query followed by a disallowed one in the query parameter to event/runQuery.do, as demonstrated by "SELECT 1;INSERT INTO." Fixed in Build 11200. ZOHO ManageEngine EventLog Analyzer 10.6 build 10060 y versiones anteriores permite a los atacantes remotos eludir las restricciones previstas y ejecutar comandos SQL arbitrarios a través de una c... • https://www.exploit-db.com/exploits/38173 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 83%CPEs: 1EXPL: 4CVE-2014-6038 – ManageEngine EventLog Analyzer - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2014-6038
06 Nov 2014 — Zoho ManageEngine EventLog Analyzer versions 7 through 9.9 build 9002 have a database Information Disclosure Vulnerability. Fixed in EventLog Analyzer 10.0 Build 10000. Las versiones 7 hasta la versión 9.9 de Zoho ManageEngine EventLog Analyzer tienen una vulnerabilidad de divulgación de información en la base de datos. Corregido en EventLog Analyzer 10.0 Build 10000. ManageEngine EventLog Analyzer suffers from SQL information and credential disclosure vulnerabilities. • https://packetstorm.news/files/id/180606 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 83%CPEs: 1EXPL: 5CVE-2014-6039 – ManageEngine EventLog Analyzer - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2014-6039
06 Nov 2014 — ManageEngine EventLog Analyzer version 7 through 9.9 build 9002 has a Credentials Disclosure Vulnerability. Fixed version 10 Build 10000. ManageEngine EventLog Analyzer, versión 7 hasta la versión 9.9, compilación 9002 tiene una vulnerabilidad de divulgación de credenciales. Versión fija 10 Build 10000. ManageEngine EventLog Analyzer suffers from SQL information and credential disclosure vulnerabilities. • https://packetstorm.news/files/id/180606 • CWE-522: Insufficiently Protected Credentials •
CVSS: 8.1EPSS: 5%CPEs: 2EXPL: 8CVE-2014-6043 – ManageEngine EventLog Analyzer - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2014-6043
01 Sep 2014 — ZOHO ManageEngine EventLog Analyzer 9.0 build 9002 and 8.2 build 8020 does not properly restrict access to the database browser, which allows remote authenticated users to obtain access to the database via a direct request to event/runQuery.do. Fixed in Build 10000. ZOHO ManageEngine EventLog Analyzer 9.0 build 9002 y 8.2 build 8020 no restringe correctamente el acceso al navegador de la base de datos, lo que permite a los usuarios autenticados remotos obtener acceso a la base de datos a través de una solic... • https://packetstorm.news/files/id/128102 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 10.0EPSS: 81%CPEs: 2EXPL: 12CVE-2014-6037 – ManageEngine EventLog Analyzer UploadHandlerServlet File Upload Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2014-6037
01 Sep 2014 — Directory traversal vulnerability in the agentUpload servlet in ZOHO ManageEngine EventLog Analyzer 9.0 build 9002 and 8.2 build 8020 allows remote attackers to execute arbitrary code by uploading a ZIP file which contains an executable file with .. (dot dot) sequences in its name, then accessing the executable via a direct request to the file under the web root. Fixed in Build 11072. La vulnerabilidad transversal del directorio en el servlet agentUpload en ZOHO ManageEngine EventLog Analyzer 9.0 build 9002... • https://packetstorm.news/files/id/128233 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2014-4930 – ManageEngine EventLog Analyzer 7 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2014-4930
27 Aug 2014 — Multiple cross-site scripting (XSS) vulnerabilities in event/index2.do in ManageEngine EventLog Analyzer before 9.0 build 9002 allow remote attackers to inject arbitrary web script or HTML via the (1) width, (2) height, (3) url, (4) helpP, (5) tab, (6) module, (7) completeData, (8) RBBNAME, (9) TC, (10) rtype, (11) eventCriteria, (12) q, (13) flushCache, or (14) product parameter. Fixed in Build 11072. Múltiples vulnerabilidades de cross-site scripting (XSS) en event / index2.do en ManageEngine EventLog Ana... • http://packetstormsecurity.com/files/128012/ManageEngine-EventLog-Analyzer-7-Cross-Site-Scripting.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2014-5103
https://notcve.org/view.php?id=CVE-2014-5103
25 Jul 2014 — Cross-site scripting (XSS) vulnerability in ZOHO ManageEngine EventLog Analyzer 9 build 9000 allows remote attackers to inject arbitrary web script or HTML via the j_username parameter to event/j_security_check. Fixed in Version 10 Build 10000. La vulnerabilidad de secuencias Cross-site scripting (XSS) en ZOHO ManageEngine EventLog Analyzer 9 build 9000 permite a los atacantes remotos inyectar secuencias de comandos web arbitrarias o HTML a través del parámetro j_username en event / j_security_check. Correg... • http://packetstormsecurity.com/files/127568/EventLog-Analyzer-9.0-Build-9000-Cross-Site-Scripting.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •