CVSS: 10.0EPSS: 26%CPEs: 1EXPL: 2CVE-2019-11448 – ManageEngine Applications Manager 11.0 < 14.0 - SQL Injection / Remote Code Execution
https://notcve.org/view.php?id=CVE-2019-11448
22 Apr 2019 — An issue was discovered in Zoho ManageEngine Applications Manager 11.0 through 14.0. An unauthenticated user can gain the authority of SYSTEM on the server due to a Popup_SLA.jsp sid SQL injection vulnerability. For example, the attacker can subsequently write arbitrary text to a .vbs file. Se ha descubierto un problema en Zoho ManageEngine Applications Manager 11.0 hasta 14.0. Un usuario no autenticado puede obtener la autoridad de SYSTEM en el servidor debido a una vulnerabilidad SQL injection en Popup_SL... • https://www.exploit-db.com/exploits/46725 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 1CVE-2018-15168
https://notcve.org/view.php?id=CVE-2018-15168
08 Aug 2018 — A SQL Injection vulnerability exists in the Zoho ManageEngine Applications Manager 13 before build 13820 via the resids parameter in a /editDisplaynames.do?method=editDisplaynames GET request. Existe una vulnerabilidad de inyección SQL en Zoho ManageEngine Applications Manager 13 antes de la build 13820 mediante el parámetro resids en una petición GET en /editDisplaynames.do?method=editDisplaynames. • https://github.com/x-f1v3/ForCve/issues/2 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2018-15169
https://notcve.org/view.php?id=CVE-2018-15169
08 Aug 2018 — A reflected Cross-site scripting (XSS) vulnerability in Zoho ManageEngine Applications Manager 13 before build 13820 allows remote attackers to inject arbitrary web script or HTML via the /deleteMO.do method parameter. Una vulnerabilidad de Cross-Site Scripting (XSS) reflejado en Zoho ManageEngine Applications Manager 13 antes de la build 13820 permite a atacantes remotos inyectar scripts web o HTML arbitrarios mediante el parámetro "method" en /deleteMO.do. • https://github.com/x-f1v3/ForCve/issues/3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 87%CPEs: 1EXPL: 5CVE-2018-7890 – ManageEngine Applications Manager 13.5 - Remote Code Execution
https://notcve.org/view.php?id=CVE-2018-7890
08 Mar 2018 — A remote code execution issue was discovered in Zoho ManageEngine Applications Manager before 13.6 (build 13640). The publicly accessible testCredential.do endpoint takes multiple user inputs and validates supplied credentials by accessing a specified system. This endpoint calls several internal classes, and then executes a PowerShell script. If the specified system is OfficeSharePointServer, then the username and password parameters to this script are not validated, leading to Command Injection. Se ha desc... • https://packetstorm.news/files/id/146951 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •