CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-7405
https://notcve.org/view.php?id=CVE-2018-7405
Cross-site scripting (XSS) in Zoho ManageEngine EventLog Analyzer before 11.12 Build 11120 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Una vulnerabilidad de Cross-Site Scripting (XSS) en versiones anteriores a la 11.12 Build 11120 de Zoho ManageEngine EventLog Analyzer permite a atacantes remotos inyectar scripts web o HTML arbitrarios utilizando vectores no especificados. • https://pitstop.manageengine.com/portal/community/topic/security-notice https://www.manageengine.com/products/eventlog/release-notes.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 1CVE-2017-11686
https://notcve.org/view.php?id=CVE-2017-11686
Zoho ManageEngine Event Log Analyzer 11.4 and 11.5 allows remote attackers to obtain an authenticated user's password via XSS vulnerabilities or sniffing non-SSL traffic on the network, because the password is represented in a cookie with a reversible encoding method. Zoho ManageEngine Event Log Analyzer versiones 11.4 y 11.5, permite a los atacantes remotos obtener la contraseña de un usuario autenticado por medio de vulnerabilidades XSS o espiando el tráfico no SSL en la red, porque la contraseña se representa en una cookie con un método de codificación reversible. • http://init6.me/exploiting-manageengine-eventlog-analyzer.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 1CVE-2017-11685
https://notcve.org/view.php?id=CVE-2017-11685
Multiple Reflective cross-site scripting (XSS) vulnerabilities in search and display of event data in Zoho ManageEngine Event Log Analyzer 11.4 and 11.5 allow remote attackers to inject arbitrary web script or HTML, as demonstrated by the fName parameter. Múltiples vulnerabilidades de tipo cross-site-scripting (XSS) reflexivo en la búsqueda y visualización de datos de eventos en Zoho ManageEngine Event Log Analyzer versiones 11.4 y 11.5, permiten a los atacantes remotos inyectar scripts web o HTML arbitrarios, como es demostrado por el parámetro fName. • http://init6.me/exploiting-manageengine-eventlog-analyzer.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 1CVE-2017-11687
https://notcve.org/view.php?id=CVE-2017-11687
Multiple Persistent cross-site scripting (XSS) vulnerabilities in Event log parsing and Display functions in Zoho ManageEngine Event Log Analyzer 11.4 and 11.5 allow remote attackers to inject arbitrary web script or HTML via syslog. Múltiples vulnerabilidades de tipo cross-site-scripting (XSS) persistentes en las funciones de visualización y análisis de registro de eventos en Zoho ManageEngine Event Log Analyzer versiones 11.4 y 11.5, permiten a los atacantes remotos inyectar scripts web o HTML arbitrarios por medio de syslog. • http://init6.me/exploiting-manageengine-eventlog-analyzer.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 90%CPEs: 1EXPL: 6CVE-2015-7387 – ManageEngine EventLog Analyzer Remote Code Execution
https://notcve.org/view.php?id=CVE-2015-7387
ZOHO ManageEngine EventLog Analyzer 10.6 build 10060 and earlier allows remote attackers to bypass intended restrictions and execute arbitrary SQL commands via an allowed query followed by a disallowed one in the query parameter to event/runQuery.do, as demonstrated by "SELECT 1;INSERT INTO." Fixed in Build 11200. ZOHO ManageEngine EventLog Analyzer 10.6 build 10060 y versiones anteriores permite a los atacantes remotos eludir las restricciones previstas y ejecutar comandos SQL arbitrarios a través de una consulta permitida seguida de una no permitida en el parámetro de consulta para event / runQuery.do, como lo demuestra "SELECT 1; INSERT INTO ". Corregido en Build 11200. • https://www.exploit-db.com/exploits/38173 https://www.exploit-db.com/exploits/38352 http://packetstormsecurity.com/files/133581/ManageEngine-EventLog-Analyzer-10.6-Build-10060-SQL-Query-Execution.html http://packetstormsecurity.com/files/133747/ManageEngine-EventLog-Analyzer-Remote-Code-Execution.html http://seclists.org/fulldisclosure/2015/Sep/59 http://www.rapid7.com/db/modules/exploit/windows/misc/manageengine_eventlog_analyzer_rce https://seclists.org/fulldisclosure/2015/Sep/59 https://raw.githubusercon • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •