CVE-2014-6038 – ManageEngine EventLog Analyzer - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2014-6038
Zoho ManageEngine EventLog Analyzer versions 7 through 9.9 build 9002 have a database Information Disclosure Vulnerability. Fixed in EventLog Analyzer 10.0 Build 10000. Las versiones 7 hasta la versión 9.9 de Zoho ManageEngine EventLog Analyzer tienen una vulnerabilidad de divulgación de información en la base de datos. Corregido en EventLog Analyzer 10.0 Build 10000. ManageEngine EventLog Analyzer suffers from SQL information and credential disclosure vulnerabilities. • https://www.exploit-db.com/exploits/43893 http://packetstormsecurity.com/files/128996/ManageEngine-EventLog-Analyzer-SQL-Credential-Disclosure.html http://seclists.org/fulldisclosure/2014/Nov/12 http://www.securityfocus.com/bid/70959 https://exchange.xforce.ibmcloud.com/vulnerabilities/98540 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2014-6039 – ManageEngine EventLog Analyzer - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2014-6039
ManageEngine EventLog Analyzer version 7 through 9.9 build 9002 has a Credentials Disclosure Vulnerability. Fixed version 10 Build 10000. ManageEngine EventLog Analyzer, versión 7 hasta la versión 9.9, compilación 9002 tiene una vulnerabilidad de divulgación de credenciales. Versión fija 10 Build 10000. ManageEngine EventLog Analyzer suffers from SQL information and credential disclosure vulnerabilities. • https://www.exploit-db.com/exploits/43893 http://packetstormsecurity.com/files/128996/ManageEngine-EventLog-Analyzer-SQL-Credential-Disclosure.html http://seclists.org/fulldisclosure/2014/Nov/12 http://www.securityfocus.com/bid/70960 https://exchange.xforce.ibmcloud.com/vulnerabilities/98539 • CWE-522: Insufficiently Protected Credentials •
CVE-2014-4930
https://notcve.org/view.php?id=CVE-2014-4930
Multiple cross-site scripting (XSS) vulnerabilities in event/index2.do in ManageEngine EventLog Analyzer before 9.0 build 9002 allow remote attackers to inject arbitrary web script or HTML via the (1) width, (2) height, (3) url, (4) helpP, (5) tab, (6) module, (7) completeData, (8) RBBNAME, (9) TC, (10) rtype, (11) eventCriteria, (12) q, (13) flushCache, or (14) product parameter. Fixed in Build 11072. Múltiples vulnerabilidades de cross-site scripting (XSS) en event / index2.do en ManageEngine EventLog Analyzer anterior a la versión 9.0, compilación 9002, permiten a los atacantes remotos inyectar script web arbitrario o HTML a través del (1) ancho, (2) altura, (3) url (4) helpP, (5) pestaña, (6) módulo, (7) completeData, (8) RBBNAME, (9) TC, (10) rtype, (11) eventCriteria, (12) q, (13) flushCache, o (14) parámetro del producto. Corregido en Build 11072. • http://packetstormsecurity.com/files/128012/ManageEngine-EventLog-Analyzer-7-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2014/Aug/74 http://www.securityfocus.com/bid/69420 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •