CVE-2017-11685
https://notcve.org/view.php?id=CVE-2017-11685
Multiple Reflective cross-site scripting (XSS) vulnerabilities in search and display of event data in Zoho ManageEngine Event Log Analyzer 11.4 and 11.5 allow remote attackers to inject arbitrary web script or HTML, as demonstrated by the fName parameter. Múltiples vulnerabilidades de tipo cross-site-scripting (XSS) reflexivo en la búsqueda y visualización de datos de eventos en Zoho ManageEngine Event Log Analyzer versiones 11.4 y 11.5, permiten a los atacantes remotos inyectar scripts web o HTML arbitrarios, como es demostrado por el parámetro fName. • http://init6.me/exploiting-manageengine-eventlog-analyzer.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2017-11687
https://notcve.org/view.php?id=CVE-2017-11687
Multiple Persistent cross-site scripting (XSS) vulnerabilities in Event log parsing and Display functions in Zoho ManageEngine Event Log Analyzer 11.4 and 11.5 allow remote attackers to inject arbitrary web script or HTML via syslog. Múltiples vulnerabilidades de tipo cross-site-scripting (XSS) persistentes en las funciones de visualización y análisis de registro de eventos en Zoho ManageEngine Event Log Analyzer versiones 11.4 y 11.5, permiten a los atacantes remotos inyectar scripts web o HTML arbitrarios por medio de syslog. • http://init6.me/exploiting-manageengine-eventlog-analyzer.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2015-7387 – ManageEngine EventLog Analyzer < 10.6 build 10060 - SQL Execution
https://notcve.org/view.php?id=CVE-2015-7387
ZOHO ManageEngine EventLog Analyzer 10.6 build 10060 and earlier allows remote attackers to bypass intended restrictions and execute arbitrary SQL commands via an allowed query followed by a disallowed one in the query parameter to event/runQuery.do, as demonstrated by "SELECT 1;INSERT INTO." Fixed in Build 11200. ZOHO ManageEngine EventLog Analyzer 10.6 build 10060 y versiones anteriores permite a los atacantes remotos eludir las restricciones previstas y ejecutar comandos SQL arbitrarios a través de una consulta permitida seguida de una no permitida en el parámetro de consulta para event / runQuery.do, como lo demuestra "SELECT 1; INSERT INTO ". Corregido en Build 11200. • https://www.exploit-db.com/exploits/38173 https://www.exploit-db.com/exploits/38352 http://packetstormsecurity.com/files/133581/ManageEngine-EventLog-Analyzer-10.6-Build-10060-SQL-Query-Execution.html http://packetstormsecurity.com/files/133747/ManageEngine-EventLog-Analyzer-Remote-Code-Execution.html http://seclists.org/fulldisclosure/2015/Sep/59 http://www.rapid7.com/db/modules/exploit/windows/misc/manageengine_eventlog_analyzer_rce https://seclists.org/fulldisclosure/2015/Sep/59 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •