CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2020-15594
https://notcve.org/view.php?id=CVE-2020-15594
29 Sep 2020 — An SSRF issue was discovered in Zoho Application Control Plus before version 10.0.511. The mail gateway configuration feature allows an attacker to perform a scan in order to discover open ports on a machine as well as available machines on the network segment on which the instance of the product is deployed. Se detectó un problema de tipo SSRF en Zoho Application Control Plus versiones anteriores a 10.0.511. La funcionalidad mail gateway configuration permite a un atacante llevar a cabo un escaneo par... • https://excellium-services.com/cert-xlm-advisory/cve-2020-15594 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 4.3EPSS: 2%CPEs: 1EXPL: 1CVE-2020-15595
https://notcve.org/view.php?id=CVE-2020-15595
29 Sep 2020 — An issue was discovered in Zoho Application Control Plus before version 10.0.511. The Element Configuration feature (to configure elements included in the scope of elements managed by the product) allows an attacker to retrieve the entire list of the IP ranges and subnets configured in the product and consequently obtain information about the cartography of the internal networks to which the product has access. Se detectó un problema en Zoho Application Control Plus versiones anteriores a 10.0.511. La ... • https://excellium-services.com/cert-xlm-advisory/CVE-2020-15595 •
CVSS: 9.8EPSS: 31%CPEs: 89EXPL: 0CVE-2020-15394
https://notcve.org/view.php?id=CVE-2020-15394
25 Sep 2020 — The REST API in Zoho ManageEngine Applications Manager before build 14740 allows an unauthenticated SQL Injection via a crafted request, leading to Remote Code Execution. La API REST en Zoho ManageEngine Applications Manager versiones anteriores a build 14740, permite una inyección SQL no autenticada por medio de una petición diseñada, conllevando a una ejecución de código remota • https://www.manageengine.com • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 7%CPEs: 88EXPL: 0CVE-2020-15521
https://notcve.org/view.php?id=CVE-2020-15521
25 Sep 2020 — Zoho ManageEngine Applications Manager before 14 build 14730 has no protection against jsp/header.jsp Cross-site Scripting (XSS) . Zoho ManageEngine Applications Manager versiones anteriores a 14 build 14730, no presenta protección contra un Cross-site Scripting (XSS) del archivo jsp/header.jsp • https://www.manageengine.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 45%CPEs: 87EXPL: 4CVE-2020-14008 – ManageEngine Applications Manager 14700 - Remote Code Execution (Authenticated)
https://notcve.org/view.php?id=CVE-2020-14008
04 Sep 2020 — Zoho ManageEngine Applications Manager 14710 and before allows an authenticated admin user to upload a vulnerable jar in a specific location, which leads to remote code execution. Zoho ManageEngine Applications Manager versiones 14710 y anteriores, permite a un usuario administrador autenticado cargar un jar vulnerable en una ubicación específica, lo que conlleva a una ejecución de código remota • https://packetstorm.news/files/id/159066 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 6%CPEs: 152EXPL: 0CVE-2020-24786
https://notcve.org/view.php?id=CVE-2020-24786
31 Aug 2020 — An issue was discovered in Zoho ManageEngine Exchange Reporter Plus before build number 5510, AD360 before build number 4228, ADSelfService Plus before build number 5817, DataSecurity Plus before build number 6033, RecoverManager Plus before build number 6017, EventLog Analyzer before build number 12136, ADAudit Plus before build number 6052, O365 Manager Plus before build number 4334, Cloud Security Plus before build number 4110, ADManager Plus before build number 7055, and Log360 before build number 5166.... • https://medium.com/%40frycos/another-zoho-manageengine-story-7b472f1515f5 • CWE-287: Improper Authentication •
CVSS: 10.0EPSS: 5%CPEs: 5EXPL: 5CVE-2020-11552 – ManageEngine ADSelfService Plus 6000 Remote Code Execution
https://notcve.org/view.php?id=CVE-2020-11552
10 Aug 2020 — An elevation of privilege vulnerability exists in ManageEngine ADSelfService Plus before build 6003 because it does not properly enforce user privileges associated with a Certificate dialog. This vulnerability could allow an unauthenticated attacker to escalate privileges on a Windows host. An attacker does not require any privilege on the target system in order to exploit this vulnerability. One option is the self-service option on the Windows login screen. Upon selecting this option, the thick-client soft... • https://packetstorm.news/files/id/158820 • CWE-269: Improper Privilege Management •
CVSS: 9.8EPSS: 6%CPEs: 1EXPL: 0CVE-2020-15588
https://notcve.org/view.php?id=CVE-2020-15588
29 Jul 2020 — An issue was discovered in the client side of Zoho ManageEngine Desktop Central 10.0.552.W. An attacker-controlled server can trigger an integer overflow in InternetSendRequestEx and InternetSendRequestByBitrate that leads to a heap-based buffer overflow and Remote Code Execution with SYSTEM privileges. This issue will occur only when untrusted communication is initiated with server. In cloud, Agent will always connect with trusted communication. Se detectó un problema en el lado del cliente de Zoho ManageE... • https://www.manageengine.com/products/desktop-central/integer-overflow-vulnerability.html • CWE-190: Integer Overflow or Wraparound CWE-787: Out-of-bounds Write •
CVSS: 7.5EPSS: 25%CPEs: 269EXPL: 0CVE-2020-14048
https://notcve.org/view.php?id=CVE-2020-14048
12 Jun 2020 — Zoho ManageEngine ServiceDesk Plus before 11.1 build 11115 allows remote unauthenticated attackers to change the installation status of deployed agents. Zoho ManageEngine ServiceDesk Plus versiones anteriores a 11.1, build 11115, permite a atacantes remotos no autenticados cambiar el estado de instalación de los agentes desplegados • https://gitlab.com/eLeN3Re/CVE-2020-14048 • CWE-306: Missing Authentication for Critical Function •
CVSS: 7.5EPSS: 76%CPEs: 26EXPL: 0CVE-2020-13818 – ManageEngine OpManager OpmSkipFilter Directory Traversal Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2020-13818
04 Jun 2020 — In Zoho ManageEngine OpManager before 125144, when