CVSS: 5.9EPSS: 0%CPEs: 5EXPL: 0CVE-2021-31857
https://notcve.org/view.php?id=CVE-2021-31857
16 Jun 2021 — In Zoho ManageEngine Password Manager Pro before 11.1 build 11104, attackers are able to retrieve credentials via a browser extension for non-website resource types. En Zoho ManageEngine Password Manager Pro versiones anteriores a 11.1 build 11104, unos atacantes son capaces de recuperar credenciales por medio de una extensión del navegador para tipos de recursos que no son del sitio web • https://www.manageengine.com •
CVSS: 9.8EPSS: 0%CPEs: 15EXPL: 0CVE-2020-9347
https://notcve.org/view.php?id=CVE-2020-9347
16 Mar 2020 — Zoho ManageEngine Password Manager Pro through 10.x has a CSV Excel Macro Injection vulnerability via a crafted name that is mishandled by the Export Passwords feature. NOTE: the vendor disputes the significance of this report because they expect CSV risk mitigation to be provided by an external application, and do not plan to add CSV constraints to their own products ** EN DISPUTA ** Zoho ManageEngine Password Manager Pro hasta la versión de 10.x tiene una vulnerabilidad de inyección de macro en Excel CSV ... • https://www.infigo.hr/upload/web_struktura/Zoho_ManageEngine_Password_Manager_Pro_10.x_CSV_Excel_Macro_Injection.txt • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •
CVSS: 8.8EPSS: 0%CPEs: 5EXPL: 0CVE-2020-9346
https://notcve.org/view.php?id=CVE-2020-9346
16 Mar 2020 — Zoho ManageEngine Password Manager Pro 10.4 and prior has no protection against Cross-site Request Forgery (CSRF) attacks, as demonstrated by changing a user's role. Zoho ManageEngine Password Manager Pro versiones 10.4 y anteriores, no poseen protección contra ataques de tipo Cross-site Request Forgery (CSRF), como es demostrado al cambiar el rol del usuario. • https://www.infigo.hr/upload/web_struktura/Zoho_ManageEngine_Password_Manager_Pro_10.4_CSRF.txt • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0CVE-2016-1159
https://notcve.org/view.php?id=CVE-2016-1159
09 Mar 2020 — In ZOHO Password Manager Pro (PMP) 8.3.0 (Build 8303) and 8.4.0 (Build 8400,8401,8402), underprivileged users can obtain sensitive information (entry password history) via a vulnerable hidden service. En ZOHO Password Manager Pro (PMP) versiones 8.3.0 (Build 8303) y 8.4.0 (Build 8400,8401,8402), unos usuarios no privilegiados pueden obtener información confidencial (historial de contraseñas de entrada) por medio de un servicio oculto vulnerable. • http://jvn.jp/vu/JVNVU90405898/index.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.8EPSS: 0%CPEs: 18EXPL: 0CVE-2019-12133
https://notcve.org/view.php?id=CVE-2019-12133
18 Jun 2019 — Multiple Zoho ManageEngine products suffer from local privilege escalation due to improper permissions for the %SYSTEMDRIVE%\ManageEngine directory and its sub-folders. Moreover, the services associated with said products try to execute binaries such as sc.exe from the current directory upon system start. This will effectively allow non-privileged users to escalate privileges to NT AUTHORITY\SYSTEM. This affects Desktop Central 10.0.380, EventLog Analyzer 12.0.2, ServiceDesk Plus 10.0.0, SupportCenter Plus ... • https://github.com/active-labs/Advisories/blob/master/2019/ACTIVE-2019-007.md • CWE-427: Uncontrolled Search Path Element CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2017-17698
https://notcve.org/view.php?id=CVE-2017-17698
15 Dec 2017 — Zoho ManageEngine Password Manager Pro 9 before 9.4 (9400) has reflected XSS in SearchResult.ec and BulkAccessControlView.ec. Zoho ManageEngine Password Manager Pro 9 en versiones anteriores a la 9.4 (9400) tiene XSS reflejado en SearchResult.ec y BulkAccessControlView.ec. • https://www.manageengine.com/products/passwordmanagerpro/release-notes.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 2CVE-2015-5459
https://notcve.org/view.php?id=CVE-2015-5459
08 Jul 2015 — SQL injection vulnerability in the AdvanceSearch.class in AdventNetPassTrix.jar in ManageEngine Password Manager Pro (PMP) before 8.1 Build 8101 allows remote authenticated users to execute arbitrary SQL commands via the ANDOR parameter, as demonstrated by a request to STATE_ID/1425543888647/SQLAdvancedALSearchResult.cc. Vulnerabilidad de inyección SQL en AdvanceSearch.class en AdventNetPassTrix.jar en ManageEngine Password Manager Pro (PMP) anterior a 8.1 Build 8101 permite a usuarios remotos autenticados ... • http://packetstormsecurity.com/files/132511/ManageEngine-Password-Manager-Pro-8.1-SQL-Injection.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 6CVE-2014-8498 – Password Manager Pro / Pro MSP - Blind SQL Injection
https://notcve.org/view.php?id=CVE-2014-8498
09 Nov 2014 — SQL injection vulnerability in BulkEditSearchResult.cc in ManageEngine Password Manager Pro (PMP) and Password Manager Pro Managed Service Providers (MSP) edition before 7.1 build 7105 allows remote authenticated users to execute arbitrary SQL commands via the SEARCH_ALL parameter. Una vulnerabilidad de inyección SQL en BulkEditSearchResult.cc en ManageEngine Password Manager PRO (PMP) y Password Manager Pro Managed Service Providers (MSP) edition anterior a 7.1 build 7105 permite a usuarios autenticados ej... • https://packetstorm.news/files/id/129036 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 79EXPL: 6CVE-2014-3997 – ManageEngine Password Manager Pro / ManageEngine IT360 - SQL Injection
https://notcve.org/view.php?id=CVE-2014-3997
20 Aug 2014 — SQL injection vulnerability in the MetadataServlet servlet in ManageEngine Password Manager Pro (PMP) and Password Manager Pro Managed Service Providers (MSP) edition 5 through 7 build 7003, IT360 and IT360 Managed Service Providers (MSP) edition before 10.3.3 build 10330, and possibly other ManageEngine products, allows remote attackers or remote authenticated users to execute arbitrary SQL commands via the sv parameter to MetadataServlet.dat. Vulnerabilidad de inyección SQL en el servlet MetadataServlet e... • https://packetstorm.news/files/id/127942 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •