CVSS: 9.4EPSS: 44%CPEs: 71EXPL: 1CVE-2021-20078
https://notcve.org/view.php?id=CVE-2021-20078
01 Apr 2021 — Manage Engine OpManager builds below 125346 are vulnerable to a remote denial of service vulnerability due to a path traversal issue in spark gateway component. This allows a remote attacker to remotely delete any directory or directories on the OS. Las compilaciones de Manage Engine OpManager por debajo de 125346, son vulnerables a una vulnerabilidad de denegación de servicio remota debido a un problema de salto de ruta en el componente spark gateway. Esto permite que un atacante remoto elimine remota... • https://www.tenable.com/security/research/tra-2021-10 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-9367
https://notcve.org/view.php?id=CVE-2020-9367
18 Mar 2021 — The MPS Agent in Zoho ManageEngine Desktop Central MSP build MSP build 10.0.486 is vulnerable to DLL Hijacking: dcinventory.exe and dcconfig.exe try to load CSUNSAPI.dll without supplying the complete path. The issue is aggravated because this DLL is missing from the installation, thus making it possible to hijack the DLL and subsequently inject code, leading to an escalation of privilege to NT AUTHORITY\SYSTEM. El agente MPS en Zoho ManageEngine Desktop Central MSP build MSP build versión 10.0.486, es vuln... • https://www.manageengine.com/desktop-management-msp/dll-hijacking-vulnerability.html • CWE-427: Uncontrolled Search Path Element •
CVSS: 8.8EPSS: 0%CPEs: 35EXPL: 1CVE-2020-35682
https://notcve.org/view.php?id=CVE-2020-35682
13 Mar 2021 — Zoho ManageEngine ServiceDesk Plus before 11134 allows an Authentication Bypass (only during SAML login). Zoho ManageEngine ServiceDesk Plus versiones anteriores a 11134, permite una omisión de autenticación (solo durante el inicio de sesión SAML) • https://github.com/its-arun/CVE-2020-35682 • CWE-863: Incorrect Authorization •
CVSS: 9.1EPSS: 1%CPEs: 1EXPL: 0CVE-2020-28050
https://notcve.org/view.php?id=CVE-2020-28050
05 Mar 2021 — Zoho ManageEngine Desktop Central before build 10.0.647 allows a single authentication secret from multiple agents to communicate with the server. Zoho ManageEngine Desktop Central anteriores al build 10.0.647, permite a un único secreto de autenticación de múltiples agentes comunicarse con el servidor • https://www.manageengine.com/products/desktop-central/cve-2020-28050.html • CWE-287: Improper Authentication •
CVSS: 6.1EPSS: 3%CPEs: 23EXPL: 0CVE-2020-35594
https://notcve.org/view.php?id=CVE-2020-35594
05 Mar 2021 — Zoho ManageEngine ADManager Plus before 7066 allows XSS. Zoho ManageEngine ADManager Plus versiones anteriores a 7066, permite un ataque de tipo XSS • https://www.manageengine.com/products/ad-manager/release-notes.html#7066 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 15%CPEs: 1EXPL: 0CVE-2020-29658
https://notcve.org/view.php?id=CVE-2020-29658
05 Mar 2021 — Zoho ManageEngine Application Control Plus before 100523 has an insecure SSL configuration setting for Nginx, leading to Privilege Escalation. Zoho ManageEngine Application Control Plus versiones anteriores a 100523, presenta una configuración SSL no segura para Nginx, conllevando a una Escalada de Privilegios • https://www.manageengine.com/application-control/knowledge-base/privilege-escalation-vulnerability-open-SSL.html •
CVSS: 6.1EPSS: 10%CPEs: 13EXPL: 1CVE-2021-27214
https://notcve.org/view.php?id=CVE-2021-27214
19 Feb 2021 — A Server-side request forgery (SSRF) vulnerability in the ProductConfig servlet in Zoho ManageEngine ADSelfService Plus through 6013 allows a remote unauthenticated attacker to perform blind HTTP requests or perform a Cross-site scripting (XSS) attack against the administrative interface via an HTTP request, a different vulnerability than CVE-2019-3905. Una vulnerabilidad de tipo Server-side request forgery (SSRF) en el servlet ProductConfig en Zoho ManageEngine ADSelfService Plus versiones hasta 6013, perm... • https://www.horizonsecurity.it/lang_EN/advisories/?a=20&title=ManageEngine+ADSelfService+Plus+privilege+escalation++CVE202127214 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 8.8EPSS: 1%CPEs: 6EXPL: 1CVE-2020-35765
https://notcve.org/view.php?id=CVE-2020-35765
05 Feb 2021 — doFilter in com.adventnet.appmanager.filter.UriCollector in Zoho ManageEngine Applications Manager through 14930 allows an authenticated SQL Injection via the resourceid parameter to showresource.do. doFilter en com.adventnet.appmanager.filter.UriCollector en Zoho ManageEngine Applications Manager versiones hasta 14930, permite una inyección SQL autenticada por medio del parámetro resourceid en showresource.do • https://www.manageengine.com • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.8EPSS: 13%CPEs: 1EXPL: 1CVE-2019-16268
https://notcve.org/view.php?id=CVE-2019-16268
03 Feb 2021 — Zoho ManageEngine Remote Access Plus 10.0.259 allows HTML injection via the Description field on the Admin - User Administration userMgmt.do?actionToCall=ShowUser screen. Zoho ManageEngine Remote Access Plus versión 10.0.259, permite una inyección HTML por medio del campo Description en la pantalla Admin - User Administration userMgmt.do?actionToCall=ShowUser • https://www.esecforte.com/responsible-vulnerability-disclosure-cve-2019-16268-html-injection-vulnerability-in-manageengine-remote-access-plus • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 81%CPEs: 59EXPL: 5CVE-2020-28653 – ManageEngine OpManager SumPDU Java Deserialization
https://notcve.org/view.php?id=CVE-2020-28653
03 Feb 2021 — Zoho ManageEngine OpManager Stable build before 125203 (and Released build before 125233) allows Remote Code Execution via the Smart Update Manager (SUM) servlet. Zoho ManageEngine OpManager Stable build anterior a 125203 (y compilación Publicada anterior a 125233) permite una ejecución de código remota por medio del servlet Smart Update Manager (SUM) An HTTP endpoint used by the Manage Engine OpManager Smart Update Manager component can be leveraged to deserialize an arbitrary Java object. This can be abus... • https://packetstorm.news/files/id/164231 •