CVSS: 8.8EPSS: 7%CPEs: 1EXPL: 0CVE-2019-19650
https://notcve.org/view.php?id=CVE-2019-19650
11 Dec 2019 — Zoho ManageEngine Applications Manager before 13640 allows a remote authenticated SQL injection via the Agent servlet agentid parameter to the Agent.java process function. Zoho ManageEngine Applications Manager versiones anteriores a 13640, permite una inyección SQL autenticada remota por medio del parámetro Agentid del agente servlet en la función del proceso Agent.java. • https://gitlab.com/eLeN3Re/CVE-2019-19650 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.0EPSS: 2%CPEs: 1EXPL: 2CVE-2019-15104 – ManageEngine OpManager 12.4x - Privilege Escalation / Remote Command Execution
https://notcve.org/view.php?id=CVE-2019-15104
16 Aug 2019 — An issue was discovered in Zoho ManageEngine OpManager through 12.4x. There is a SQL Injection vulnerability in jsp/NewThresholdConfiguration.jsp via the resourceid parameter. Therefore, a low-authority user can gain the authority of SYSTEM on the server. One can consequently upload a malicious file using the "Execute Program Action(s)" feature. Se detectó un problema en Zoho ManageEngine OpManager versiones hasta 12.4x. • https://www.exploit-db.com/exploits/47227 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.0EPSS: 2%CPEs: 1EXPL: 2CVE-2019-15105 – ManageEngine Application Manager 14.2 - Privilege Escalation / Remote Command Execution
https://notcve.org/view.php?id=CVE-2019-15105
16 Aug 2019 — An issue was discovered in Zoho ManageEngine Application Manager through 14.2. There is a SQL Injection vulnerability in jsp/NewThresholdConfiguration.jsp via the resourceid parameter. Therefore, a low-authority user can gain the authority of SYSTEM on the server. One can consequently upload a malicious file using the "Execute Program Action(s)" feature. Se detectó un problema en Zoho ManageEngine Application Manager versiones hasta 14.2. • https://www.exploit-db.com/exploits/47228 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.3EPSS: 1%CPEs: 1EXPL: 1CVE-2017-11557
https://notcve.org/view.php?id=CVE-2017-11557
23 May 2019 — An issue was discovered in ZOHO ManageEngine Applications Manager 12.3. It is possible for an unauthenticated user to view the list of domain names and usernames used in a company's network environment via a userconfiguration.do?method=editUser request. Fue encontrado un problema en ZOHO ManageEngine Applications Manager versión 12.3. Es posible que un usuario no autenticado vea la lista de nombres de dominio y nombres de usuario utilizados en el entorno de red de una empresa por medio de una solicitud user... • http://applications.com • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.1EPSS: 1%CPEs: 1EXPL: 1CVE-2017-11738
https://notcve.org/view.php?id=CVE-2017-11738
23 May 2019 — In Zoho ManageEngine Application Manager prior to 14.6 Build 14660, the 'haid' parameter of the '/auditLogAction.do' module is vulnerable to a Time-based Blind SQL Injection attack. En Zoho ManageEngine Application Manager anterior a la version 14.6 Build 14660, el parámetro 'haid' del módulo '/auditLogAction.do' es vulnerable a un ataque de inyección SQL tipo time-based-blind • http://application.com • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 2%CPEs: 1EXPL: 1CVE-2017-11739
https://notcve.org/view.php?id=CVE-2017-11739
23 May 2019 — In Zoho ManageEngine Application Manager 13.1 Build 13100, an authenticated user, with administrative privileges, has the ability to add a widget on any dashboard. This widget can be a "Utility Widget" with a "Custom HTML or Text" field. Once this widget is created, it will be loaded on the dashboard where it was added. An attacker can abuse this functionality by creating a "Utility Widget" that contains malicious JavaScript code, aka XSS. En Zoho ManageEngine Application Manager 13.1 Build 13100, un usuari... • http://application.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 2%CPEs: 1EXPL: 1CVE-2017-11740
https://notcve.org/view.php?id=CVE-2017-11740
23 May 2019 — In Zoho ManageEngine Application Manager 13.1 Build 13100, the administrative user has the ability to upload files/binaries that can be executed upon the occurrence of an alarm. An attacker can abuse this functionality by uploading a malicious script that can be executed on the remote system. En Zoho ManageEngine Application Manager 13.1 Build 13100, el usuario administrativo tiene la capacidad para cargar archivos binarios que pueden ejecutarse cuando ocurre una alarma. Un atacante puede abusar de esta fun... • http://application.com • CWE-20: Improper Input Validation •
CVSS: 10.0EPSS: 7%CPEs: 1EXPL: 4CVE-2019-11469 – ManageEngine Applications Manager 14.0 - Authentication Bypass / Remote Command Execution
https://notcve.org/view.php?id=CVE-2019-11469
23 Apr 2019 — Zoho ManageEngine Applications Manager 12 through 14 allows FaultTemplateOptions.jsp resourceid SQL injection. Subsequently, an unauthenticated user can gain the authority of SYSTEM on the server by uploading a malicious file via the "Execute Program Action(s)" feature. Zoho ManageEngine Applications Manager, versiones desde 12 hasta 14, permite la inyección de SQL del resourceid FaultTemplateOptions.jsp. Posteriormente, un usuario no autenticado puede obtener la autoridad de SYSTEM en el servidor cargando ... • https://packetstorm.news/files/id/152607 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 26%CPEs: 1EXPL: 2CVE-2019-11448 – ManageEngine Applications Manager 11.0 < 14.0 - SQL Injection / Remote Code Execution
https://notcve.org/view.php?id=CVE-2019-11448
22 Apr 2019 — An issue was discovered in Zoho ManageEngine Applications Manager 11.0 through 14.0. An unauthenticated user can gain the authority of SYSTEM on the server due to a Popup_SLA.jsp sid SQL injection vulnerability. For example, the attacker can subsequently write arbitrary text to a .vbs file. Se ha descubierto un problema en Zoho ManageEngine Applications Manager 11.0 hasta 14.0. Un usuario no autenticado puede obtener la autoridad de SYSTEM en el servidor debido a una vulnerabilidad SQL injection en Popup_SL... • https://www.exploit-db.com/exploits/46725 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.3EPSS: 2%CPEs: 10EXPL: 1CVE-2018-16364
https://notcve.org/view.php?id=CVE-2018-16364
26 Sep 2018 — A serialization vulnerability in Zoho ManageEngine Applications Manager before build 13740 allows for remote code execution on Windows via a payload on an SMB share. Una vulnerabilidad de serialización en Zoho ManageEngine Applications Manager antes de la build 13740 permite la ejecución remota de código en Windows mediante una carga útil en una compartición SMB. • https://blog.jamesotten.com/post/applications-manager-rce • CWE-502: Deserialization of Untrusted Data •