CVE-2020-15394
https://notcve.org/view.php?id=CVE-2020-15394
The REST API in Zoho ManageEngine Applications Manager before build 14740 allows an unauthenticated SQL Injection via a crafted request, leading to Remote Code Execution. La API REST en Zoho ManageEngine Applications Manager versiones anteriores a build 14740, permite una inyección SQL no autenticada por medio de una petición diseñada, conllevando a una ejecución de código remota • https://www.manageengine.com https://www.manageengine.com/products/applications_manager/issues.html#v14740 https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2020-15394.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2020-15521
https://notcve.org/view.php?id=CVE-2020-15521
Zoho ManageEngine Applications Manager before 14 build 14730 has no protection against jsp/header.jsp Cross-site Scripting (XSS) . Zoho ManageEngine Applications Manager versiones anteriores a 14 build 14730, no presenta protección contra un Cross-site Scripting (XSS) del archivo jsp/header.jsp • https://www.manageengine.com https://www.manageengine.com/products/applications_manager/issues.html#v14730 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2020-14008 – ManageEngine Applications Manager 14700 - Remote Code Execution (Authenticated)
https://notcve.org/view.php?id=CVE-2020-14008
Zoho ManageEngine Applications Manager 14710 and before allows an authenticated admin user to upload a vulnerable jar in a specific location, which leads to remote code execution. Zoho ManageEngine Applications Manager versiones 14710 y anteriores, permite a un usuario administrador autenticado cargar un jar vulnerable en una ubicación específica, lo que conlleva a una ejecución de código remota • https://www.exploit-db.com/exploits/48793 http://packetstormsecurity.com/files/159066/ManageEngine-Applications-Manager-Authenticated-Remote-Code-Execution.html https://www.manageengine.com https://www.manageengine.com/products/applications_manager/issues.html#14730 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVE-2019-19799
https://notcve.org/view.php?id=CVE-2019-19799
Zoho ManageEngine Applications Manager before 14600 allows a remote unauthenticated attacker to disclose license related information via WieldFeedServlet servlet. Zoho ManageEngine Applications Manager anterior a la versión 14600 permite que un atacante remoto no autenticado revele información relacionada con la licencia a través del servlet WieldFeedServlet. • https://gitlab.com/eLeN3Re/cve-2019-19799 https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2019-19799.html • CWE-306: Missing Authentication for Critical Function •
CVE-2019-19800
https://notcve.org/view.php?id=CVE-2019-19800
Zoho ManageEngine Applications Manager 14 before 14520 allows a remote unauthenticated attacker to disclose OS file names via FailOverHelperServlet. Zoho ManageEngine Applications Manager 14 versiones anteriores a 14520, permite a un atacante remoto no autenticado revelar nombres de archivos del Sistema Operativo por medio de FailOverHelperServlet. • https://gitlab.com/eLeN3Re/CVE-2019-19800 https://www.manageengine.com https://www.manageengine.com/products/applications_manager/release-notes.html • CWE-306: Missing Authentication for Critical Function •