CVSS: 7.2EPSS: 14%CPEs: 87EXPL: 2CVE-2020-14008 – ManageEngine Applications Manager 14700 - Remote Code Execution (Authenticated)
https://notcve.org/view.php?id=CVE-2020-14008
Zoho ManageEngine Applications Manager 14710 and before allows an authenticated admin user to upload a vulnerable jar in a specific location, which leads to remote code execution. Zoho ManageEngine Applications Manager versiones 14710 y anteriores, permite a un usuario administrador autenticado cargar un jar vulnerable en una ubicación específica, lo que conlleva a una ejecución de código remota • https://www.exploit-db.com/exploits/48793 http://packetstormsecurity.com/files/159066/ManageEngine-Applications-Manager-Authenticated-Remote-Code-Execution.html https://www.manageengine.com https://www.manageengine.com/products/applications_manager/issues.html#14730 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 5.3EPSS: 0%CPEs: 11EXPL: 1CVE-2019-19799
https://notcve.org/view.php?id=CVE-2019-19799
Zoho ManageEngine Applications Manager before 14600 allows a remote unauthenticated attacker to disclose license related information via WieldFeedServlet servlet. Zoho ManageEngine Applications Manager anterior a la versión 14600 permite que un atacante remoto no autenticado revele información relacionada con la licencia a través del servlet WieldFeedServlet. • https://gitlab.com/eLeN3Re/cve-2019-19799 https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2019-19799.html • CWE-306: Missing Authentication for Critical Function •
CVSS: 9.8EPSS: 3%CPEs: 1EXPL: 0CVE-2019-19649
https://notcve.org/view.php?id=CVE-2019-19649
Zoho ManageEngine Applications Manager before 13620 allows a remote unauthenticated SQL injection via the SyncEventServlet eventid parameter to the SyncEventServlet.java doGet function. Zoho ManageEngine Applications Manager versiones anteriores a 13620, permite una inyección SQL no autenticada remota por medio del parámetro eventid de SyncEventServlet en la función doGet del archivo SyncEventServlet.java. • https://gitlab.com/eLeN3Re/CVE-2019-19649 https://www.manageengine.com/products/applications_manager/release-notes.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-19650
https://notcve.org/view.php?id=CVE-2019-19650
Zoho ManageEngine Applications Manager before 13640 allows a remote authenticated SQL injection via the Agent servlet agentid parameter to the Agent.java process function. Zoho ManageEngine Applications Manager versiones anteriores a 13640, permite una inyección SQL autenticada remota por medio del parámetro Agentid del agente servlet en la función del proceso Agent.java. • https://gitlab.com/eLeN3Re/CVE-2019-19650 https://www.manageengine.com/products/applications_manager/release-notes.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 2CVE-2019-11448 – ManageEngine Applications Manager 11.0 < 14.0 - SQL Injection / Remote Code Execution
https://notcve.org/view.php?id=CVE-2019-11448
An issue was discovered in Zoho ManageEngine Applications Manager 11.0 through 14.0. An unauthenticated user can gain the authority of SYSTEM on the server due to a Popup_SLA.jsp sid SQL injection vulnerability. For example, the attacker can subsequently write arbitrary text to a .vbs file. Se ha descubierto un problema en Zoho ManageEngine Applications Manager 11.0 hasta 14.0. Un usuario no autenticado puede obtener la autoridad de SYSTEM en el servidor debido a una vulnerabilidad SQL injection en Popup_SLA.jsp. • https://www.exploit-db.com/exploits/46725 https://pentest.com.tr/exploits/ManageEngine-App-Manager-14-SQLi-Remote-Code-Execution.html https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2019-11448.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •