CVSS: 7.5EPSS: 5%CPEs: 1EXPL: 0CVE-2020-8509
https://notcve.org/view.php?id=CVE-2020-8509
30 Mar 2020 — Zoho ManageEngine Desktop Central before 10.0.483 allows unauthenticated users to access PDFGenerationServlet, leading to sensitive information disclosure. Zoho ManageEngine Desktop Centralen versiones anteriores a la 10.0.483 permite a los usuarios no autentificados acceder a PDFGenerationServlet, conllevando a una divulgación de información confidencial. • https://www.manageengine.com/products/desktop-central/unauthenticated-servlet-access.html • CWE-306: Missing Authentication for Critical Function •
CVSS: 6.1EPSS: 3%CPEs: 1EXPL: 1CVE-2019-15510
https://notcve.org/view.php?id=CVE-2019-15510
23 Mar 2020 — ManageEngine_DesktopCentral.exe in Zoho ManageEngine Desktop Central 10 allows HTML injection on the user administration page via the description of a role. El archivo ManageEngine_DesktopCentral.exe en Zoho ManageEngine Desktop Central versión 10, permite una inyección de HTML en la página de administración de usuario por medio de la descripción de un rol. • https://www.esecforte.com/responsible-vulnerability-disclosure-cve-2019-15510-manageengine-desktopcentral-v-10-vulnerable-to-html-injection • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 22%CPEs: 1EXPL: 0CVE-2020-8540
https://notcve.org/view.php?id=CVE-2020-8540
11 Mar 2020 — An XML external entity (XXE) vulnerability in Zoho ManageEngine Desktop Central before the 07-Mar-2020 update allows remote unauthenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request. Una vulnerabilidad de tipo XML external entity (XXE) en Zoho ManageEngine Desktop Central antes de la actualización del 07-Mar-2020, permite a usuarios no autenticados remotos leer archivos arbitrarios o dirigir ataques de tipo server-side request for... • https://www.manageengine.com/products/desktop-central/xxe-vulnerability.html • CWE-611: Improper Restriction of XML External Entity Reference CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 10.0EPSS: 94%CPEs: 1EXPL: 6CVE-2020-10189 – Zoho ManageEngine Desktop Central File Upload Vulnerability
https://notcve.org/view.php?id=CVE-2020-10189
06 Mar 2020 — Zoho ManageEngine Desktop Central before 10.0.474 allows remote code execution because of deserialization of untrusted data in getChartImage in the FileStorage class. This is related to the CewolfServlet and MDMLogUploaderServlet servlets. Zoho ManageEngine Desktop Central anterior a la versión 10.0.474 permite la ejecución remota de código debido a la deserialización de datos no seguros en getChartImage en la clase FileStorage. Esto está relacionado con los servlets CewolfServlet y MDMLogUploaderServlet. Z... • https://packetstorm.news/files/id/156730 • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 66%CPEs: 1EXPL: 5CVE-2013-7390 – ManageEngine Desktop Central - Arbitrary File Upload / Remote Code Execution
https://notcve.org/view.php?id=CVE-2013-7390
27 Jan 2020 — Unrestricted file upload vulnerability in AgentLogUploadServlet in ManageEngine DesktopCentral 7.x and 8.0.0 before build 80293 allows remote attackers to execute arbitrary code by uploading a file with a jsp extension, then accessing it via a direct request to the file in the webroot. Una vulnerabilidad de carga de archivos sin restricciones en la función AgentLogUploadServlet en ManageEngine DesktopCentral versiones 7.x y 8.0.0 anterior al build 80293, permite a atacantes remotos ejecutar código arbitrari... • https://www.exploit-db.com/exploits/34518 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.5EPSS: 0%CPEs: 3EXPL: 1CVE-2019-12876
https://notcve.org/view.php?id=CVE-2019-12876
17 Jul 2019 — Zoho ManageEngine ADManager Plus 6.6.5, ADSelfService Plus 5.7, and DesktopCentral 10.0.380 have Insecure Permissions, leading to Privilege Escalation from low level privileges to System. Zoho ManageEngine ADManager Plus versión 6.6.5, ADSelfService Plus versión 5.7, y DesktopCentral versión 10.0.380 tiene permisos no seguros, lo que conlleva a una escalada de privilegios desde los privilegios de bajo nivel hasta el sistema. • http://www.securityfocus.com/bid/109298 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 7.8EPSS: 0%CPEs: 18EXPL: 0CVE-2019-12133
https://notcve.org/view.php?id=CVE-2019-12133
18 Jun 2019 — Multiple Zoho ManageEngine products suffer from local privilege escalation due to improper permissions for the %SYSTEMDRIVE%\ManageEngine directory and its sub-folders. Moreover, the services associated with said products try to execute binaries such as sc.exe from the current directory upon system start. This will effectively allow non-privileged users to escalate privileges to NT AUTHORITY\SYSTEM. This affects Desktop Central 10.0.380, EventLog Analyzer 12.0.2, ServiceDesk Plus 10.0.0, SupportCenter Plus ... • https://github.com/active-labs/Advisories/blob/master/2019/ACTIVE-2019-007.md • CWE-427: Uncontrolled Search Path Element CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 6.1EPSS: 6%CPEs: 1EXPL: 1CVE-2018-16833 – ManageEngine Desktop Central 10.0.271 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2018-16833
19 Sep 2018 — Zoho ManageEngine Desktop Central 10.0.271 has XSS via the "Features & Articles" search field to the /advsearch.do?SUBREQUEST=XMLHTTP URI. Zoho ManageEngine Desktop Central 10.0.271 tiene Cross-Site Scripting (XSS) mediante el campo de búsqueda "Features Articles" en el URI /advsearch.do?SUBREQUEST=XMLHTTP. ManageEngine Desktop Central version 10.0.271 suffers from a cross site scripting vulnerability. • https://packetstorm.news/files/id/149436 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 3%CPEs: 1EXPL: 1CVE-2018-13411
https://notcve.org/view.php?id=CVE-2018-13411
12 Sep 2018 — An issue was discovered in Zoho ManageEngine Desktop Central before 10.0.282. A clickable company logo in a window running as SYSTEM can be abused to escalate privileges. In cloud, the issue is fixed in 10.0.470 agent version. Se detectó un problema en Zoho ManageEngine Desktop Central antes de la versión 10.0.282. Un logotipo de la empresa sobre el que se puede hacer clic en una ventana que se ejecuta como SISTEMA puede ser abusado para escalar privilegios. • http://www.securityfocus.com/bid/105348 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2018-13412
https://notcve.org/view.php?id=CVE-2018-13412
12 Sep 2018 — An issue was discovered in the Self Service Portal in Zoho ManageEngine Desktop Central before 10.0.282. A clickable company logo in a window running as SYSTEM can be abused to escalate privileges. In cloud, the issue is fixed in 10.0.470 agent version. Se detectó un problema en el Portal de Autoservicio en Zoho ManageEngine Desktop Central antes de la versión 10.0.282. Un logotipo de la empresa sobre el que se puede hacer clic en una ventana que se ejecuta como SISTEMA puede ser abusado para escalar privil... • http://www.securityfocus.com/bid/105348 • CWE-732: Incorrect Permission Assignment for Critical Resource •