CVE-2022-35404
https://notcve.org/view.php?id=CVE-2022-35404
ManageEngine Password Manager Pro 12100 and prior and OPManager 126100 and prior are vulnerable to unauthorized file and directory creation on a server machine. ManageEngine Password Manager Pro versiones 12100 y anteriores y OPManager versiones 126100 y anteriores son vulnerables a una creación no autorizada de archivos y directorios en un equipo servidor • https://manageengine.com https://www.manageengine.com/itom/advisory/cve-2022-35404.html • CWE-20: Improper Input Validation •
CVE-2019-12133
https://notcve.org/view.php?id=CVE-2019-12133
Multiple Zoho ManageEngine products suffer from local privilege escalation due to improper permissions for the %SYSTEMDRIVE%\ManageEngine directory and its sub-folders. Moreover, the services associated with said products try to execute binaries such as sc.exe from the current directory upon system start. This will effectively allow non-privileged users to escalate privileges to NT AUTHORITY\SYSTEM. This affects Desktop Central 10.0.380, EventLog Analyzer 12.0.2, ServiceDesk Plus 10.0.0, SupportCenter Plus 8.1, O365 Manager Plus 4.0, Mobile Device Manager Plus 9.0.0, Patch Connect Plus 9.0.0, Vulnerability Manager Plus 9.0.0, Patch Manager Plus 9.0.0, OpManager 12.3, NetFlow Analyzer 11.0, OpUtils 11.0, Network Configuration Manager 11.0, FireWall 12.0, Key Manager Plus 5.6, Password Manager Pro 9.9, Analytics Plus 1.0, and Browser Security Plus. Varios productos Zoho ManageEngine sufren una escalada de privilegios locales debido a permisos inapropiados para el directorio %SYSTEMDRIVE%\ManageEngine y sus subcarpetas. • https://github.com/active-labs/Advisories/blob/master/2019/ACTIVE-2019-007.md https://www.manageengine.com/products/desktop-central/elevation-of-privilege-vulnerability.html • CWE-427: Uncontrolled Search Path Element CWE-732: Incorrect Permission Assignment for Critical Resource •
CVE-2019-12196
https://notcve.org/view.php?id=CVE-2019-12196
A SQL injection vulnerability in /client/api/json/v2/nfareports/compareReport in Zoho ManageEngine NetFlow Analyzer 12.3 allows attackers to execute arbitrary SQL commands via the DeviceID parameter. Una vulnerabilidad de inyección SQL en la función /client/api/json/v2/nfareports/compareReport en Zoho ManageEngine NetFlow Analyzer versión 12.3, permite a los atacantes ejecutar comandos SQL arbitrarios por medio del parámetro DeviceID. • http://www.securityfocus.com/bid/108672 https://www.manageengine.com/products/netflow/readme.html#124029 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2019-8925 – Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2 - Path Traversal / Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-8925
An issue was discovered in Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2. An Absolute Path Traversal vulnerability in the Administration zone, in /netflow/servlet/CReportPDFServlet (via the parameter schFilePath), allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via any file name, such as a schFilePath=C:\boot.ini value. Se descubrió un problema en Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2. Una vulnerabilidad Absolute Path Traversal en la zona de Administración, en / netflow / servlet / CReportPDFServlet (a través del parámetro schFilePath), permite a los usuarios autenticados remotos eludir las restricciones de SecurityManager previstas y listar un directorio principal a través de cualquier nombre de archivo, como schFilePath = C: Valor \ boot.ini. Zoho ManageEngine Netflow Analyzer Professional version 7.0.0.2 suffers from cross site scripting and path traversal vulnerabilities. • https://www.exploit-db.com/exploits/46425 http://packetstormsecurity.com/files/151757/Zoho-ManageEngine-Netflow-Analyzer-Professional-7.0.0.2-Traversal-XSS.html http://seclists.org/fulldisclosure/2019/Feb/45 https://www.manageengine.com/products/netflow/?doc • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2019-8926 – Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2 - Path Traversal / Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-8926
An issue was discovered in Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2. XSS exists in the Administration zone /netflow/jspui/popup1.jsp file via these GET parameters: bussAlert, customDev, and selSource. Se descubrió un problema en Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2. XSS existe en el archivo /netflow/jspui/popup1.jsp de la zona de administración a través de estos parámetros GET: bussAlert, customDev y selSource. Zoho ManageEngine Netflow Analyzer Professional version 7.0.0.2 suffers from cross site scripting and path traversal vulnerabilities. • https://www.exploit-db.com/exploits/46425 http://packetstormsecurity.com/files/151757/Zoho-ManageEngine-Netflow-Analyzer-Professional-7.0.0.2-Traversal-XSS.html http://seclists.org/fulldisclosure/2019/Feb/45 https://www.manageengine.com/products/netflow/?doc • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •