CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2020-28050
https://notcve.org/view.php?id=CVE-2020-28050
Zoho ManageEngine Desktop Central before build 10.0.647 allows a single authentication secret from multiple agents to communicate with the server. Zoho ManageEngine Desktop Central anteriores al build 10.0.647, permite a un único secreto de autenticación de múltiples agentes comunicarse con el servidor • https://www.manageengine.com/products/desktop-central/cve-2020-28050.html https://www.manageengine.com/products/desktop-central/fixing-multiple-vulnerabilities.html • CWE-287: Improper Authentication •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-15588
https://notcve.org/view.php?id=CVE-2020-15588
An issue was discovered in the client side of Zoho ManageEngine Desktop Central 10.0.552.W. An attacker-controlled server can trigger an integer overflow in InternetSendRequestEx and InternetSendRequestByBitrate that leads to a heap-based buffer overflow and Remote Code Execution with SYSTEM privileges. This issue will occur only when untrusted communication is initiated with server. In cloud, Agent will always connect with trusted communication. Se detectó un problema en el lado del cliente de Zoho ManageEngine Desktop Central versión 10.0.552.W. • https://www.manageengine.com/products/desktop-central/integer-overflow-vulnerability.html • CWE-190: Integer Overflow or Wraparound CWE-787: Out-of-bounds Write •
CVSS: 6.5EPSS: 2%CPEs: 1EXPL: 0CVE-2020-10859
https://notcve.org/view.php?id=CVE-2020-10859
Zoho ManageEngine Desktop Central before 10.0.484 allows authenticated arbitrary file writes during ZIP archive extraction via Directory Traversal in a crafted AppDependency API request. Zoho ManageEngine Desktop Central versiones anteriores a 10.0.484, permite una escritura de archivos arbitrarios autenticados durante una extracción de archivos ZIP por medio de un Salto de Directorio en una petición de la API AppDependency diseñada. • https://www.manageengine.com/products/desktop-central/arbitrary-file-upload-vulnerability.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-8509
https://notcve.org/view.php?id=CVE-2020-8509
Zoho ManageEngine Desktop Central before 10.0.483 allows unauthenticated users to access PDFGenerationServlet, leading to sensitive information disclosure. Zoho ManageEngine Desktop Centralen versiones anteriores a la 10.0.483 permite a los usuarios no autentificados acceder a PDFGenerationServlet, conllevando a una divulgación de información confidencial. • https://www.manageengine.com/products/desktop-central/unauthenticated-servlet-access.html • CWE-306: Missing Authentication for Critical Function •
CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 0CVE-2020-8540
https://notcve.org/view.php?id=CVE-2020-8540
An XML external entity (XXE) vulnerability in Zoho ManageEngine Desktop Central before the 07-Mar-2020 update allows remote unauthenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request. Una vulnerabilidad de tipo XML external entity (XXE) en Zoho ManageEngine Desktop Central antes de la actualización del 07-Mar-2020, permite a usuarios no autenticados remotos leer archivos arbitrarios o dirigir ataques de tipo server-side request forgery (SSRF) por medio de un DTD especialmente diseñado en una petición XML. • https://www.manageengine.com/products/desktop-central/xxe-vulnerability.html • CWE-611: Improper Restriction of XML External Entity Reference CWE-918: Server-Side Request Forgery (SSRF) •