CVSS: 8.8EPSS: 0%CPEs: 106EXPL: 0CVE-2020-27733
https://notcve.org/view.php?id=CVE-2020-27733
19 Jan 2021 — Zoho ManageEngine Applications Manager before 14 build 14880 allows an authenticated SQL Injection via a crafted Alarmview request. Zoho ManageEngine Applications Manager anterior a la versión 14 build 14880, permite una inyección SQL autenticada por medio de una petición Alarmview diseñada • https://www.manageengine.com/products/applications_manager/issues.html#v14880 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.4EPSS: 2%CPEs: 1EXPL: 1CVE-2019-16962
https://notcve.org/view.php?id=CVE-2019-16962
06 Jan 2021 — Zoho ManageEngine Desktop Central 10.0.430 allows HTML injection via a modified Report Name in a New Custom Report. Zoho ManageEngine Desktop Central versión 10.0.430, permite una inyección de HTML por medio de un Nombre de Reporte modificado en un Nuevo Reporte Personalizado • https://www.esecforte.com/manage-engine-desktopcentral-india-html-injection-vulnerability • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 30%CPEs: 68EXPL: 0CVE-2020-27995
https://notcve.org/view.php?id=CVE-2020-27995
29 Oct 2020 — SQL Injection in Zoho ManageEngine Applications Manager 14 before 14560 allows an attacker to execute commands on the server via the MyPage.do template_resid parameter. Una inyección SQL en Zoho ManageEngine Applications Manager 14 versiones anteriores a 14560, permite a un atacante ejecutar comandos en el servidor por medio del parámetro template_resid del archivo MyPage.do • https://www.manageengine.com/products/applications_manager/issues.html#v14560 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 32%CPEs: 10EXPL: 0CVE-2020-10816
https://notcve.org/view.php?id=CVE-2020-10816
08 Oct 2020 — Zoho ManageEngine Applications Manager 14780 and before allows a remote unauthenticated attacker to register managed servers via AAMRequestProcessor servlet. Zoho ManageEngine Applications Manager versiones 14780 y anteriores, permiten a un atacante remoto no autenticado registrar servidores administrados por medio del servlet AAMRequestProcessor • https://gitlab.com/eLeN3Re/CVE-2020-10816 • CWE-287: Improper Authentication •
CVSS: 8.8EPSS: 1%CPEs: 7EXPL: 0CVE-2020-16267
https://notcve.org/view.php?id=CVE-2020-16267
06 Oct 2020 — Zoho ManageEngine Applications Manager version 14740 and prior allows an authenticated SQL Injection via a crafted jsp request in the RCA module. Zoho ManageEngine Applications Manager versión 14740 y anteriores, permite una inyección SQL autenticada por medio de una petición jsp diseñada en el módulo RCA • https://www.manageengine.com • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 1%CPEs: 7EXPL: 0CVE-2020-15927
https://notcve.org/view.php?id=CVE-2020-15927
06 Oct 2020 — Zoho ManageEngine Applications Manager version 14740 and prior allows an authenticated SQL Injection via a crafted jsp request in the SAP module. Zoho ManageEngine Applications Manager versión 14740 y anteriores, permite una inyección SQL autenticada por medio de una petición jsp diseñada en el módulo SAP • https://www.manageengine.com • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.1EPSS: 4%CPEs: 2EXPL: 0CVE-2020-15589
https://notcve.org/view.php?id=CVE-2020-15589
02 Oct 2020 — A design issue was discovered in GetInternetRequestHandle, InternetSendRequestEx and InternetSendRequestByBitrate in the client side of Zoho ManageEngine Desktop Central 10.0.552.W and Remote Access Plus before 10.1.2119.1. By exploiting this issue, an attacker-controlled server can force the client to skip TLS certificate validation, leading to a man-in-the-middle attack against HTTPS and unauthenticated remote code execution. Se detectó un problema de diseño en GetInternetRequestHandle, InternetSendReques... • https://www.manageengine.com/products/desktop-central •
CVSS: 9.0EPSS: 12%CPEs: 1EXPL: 0CVE-2020-24397
https://notcve.org/view.php?id=CVE-2020-24397
02 Oct 2020 — An issue was discovered in the client side of Zoho ManageEngine Desktop Central 10.0.0.SP-534. An attacker-controlled server can trigger an integer overflow in InternetSendRequestEx and InternetSendRequestByBitrate that leads to a heap-based buffer overflow and Remote Code Execution with SYSTEM privileges. Se detectó un problema en el lado del cliente de Zoho ManageEngine Desktop Central versión 10.0.0.SP-534. Un servidor controlado por un atacante puede desencadenar un desbordamiento de enteros en las... • https://www.manageengine.com/products/desktop-central • CWE-190: Integer Overflow or Wraparound CWE-787: Out-of-bounds Write •
CVSS: 9.8EPSS: 11%CPEs: 13EXPL: 0CVE-2020-15533
https://notcve.org/view.php?id=CVE-2020-15533
01 Oct 2020 — In Zoho ManageEngine Application Manager 14.7 Build 14730 (before 14684, and between 14689 and 14750), the AlarmEscalation module is vulnerable to unauthenticated SQL Injection attack. En Zoho ManageEngine Application Manager versión 14.7 Build 14730 (versiones anteriores a 14684, y entre 14689 y 14750), el módulo AlarmEscalation es vulnerable a un ataque de inyección SQL no autenticado • https://www.manageengine.com • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 15%CPEs: 19EXPL: 1CVE-2018-5353
https://notcve.org/view.php?id=CVE-2018-5353
29 Sep 2020 — The custom GINA/CP module in Zoho ManageEngine ADSelfService Plus before 5.5 build 5517 allows remote attackers to execute code and escalate privileges via spoofing. It does not authenticate the intended server before opening a browser window. An unauthenticated attacker capable of conducting a spoofing attack can redirect the browser to gain execution in the context of the WinLogon.exe process. If Network Level Authentication is not enforced, the vulnerability can be exploited via RDP. Additionally, if the... • https://github.com/missing0x00/CVE-2018-5353 • CWE-290: Authentication Bypass by Spoofing •