CVE-2021-44514
https://notcve.org/view.php?id=CVE-2021-44514
OpUtils in Zoho ManageEngine OpManager 12.5 before 125490 mishandles authentication for a few audit directories. OpUtils en Zoho ManageEngine OpManager 12.5 antes de 125490 maneja mal la autenticación para algunos directorios de auditoría • https://www.manageengine.com/network-monitoring/help/read-me-complete.html#build_125490 • CWE-287: Improper Authentication •
CVE-2021-41075
https://notcve.org/view.php?id=CVE-2021-41075
The NetFlow Analyzer in Zoho ManageEngine OpManger before 125455 is vulnerable to SQL Injection in the Attacks Module API. El analizador de NetFlow en Zoho ManageEngine OpManger versiones anteriores a 125455, es vulnerable a una inyección SQL en la API del módulo de ataques • https://www.manageengine.com/network-monitoring/help/read-me-complete.html#build_125455 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2021-40493
https://notcve.org/view.php?id=CVE-2021-40493
Zoho ManageEngine OpManager before 125437 is vulnerable to SQL Injection in the support diagnostics module. This occurs via the pollingObject parameter of the getDataCollectionFailureReason API. OpManager de Zoho ManageEngine versiones anteriores a 125437, es vulnerable a una inyección SQL en el módulo de diagnósticos de soporte. Esto ocurre por medio del parámetro pollingObject de la API getDataCollectionFailureReason • https://www.manageengine.com/network-monitoring/security-updates/cve-2021-40493.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2021-41288
https://notcve.org/view.php?id=CVE-2021-41288
Zoho ManageEngine OpManager version 125466 and below is vulnerable to SQL Injection in the getReportData API. Zoho ManageEngine OpManager versión 125466 y por debajo, es vulnerable a una inyección SQL en la API getReportData • https://www.manageengine.com/network-monitoring/help/read-me-complete.html#build_125467 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2021-3287 – ManageEngine OpManager SumPDU Java Deserialization
https://notcve.org/view.php?id=CVE-2021-3287
Zoho ManageEngine OpManager before 12.5.329 allows unauthenticated Remote Code Execution due to a general bypass in the deserialization class. Zoho ManageEngine OpManager versiones anteriores a 12.5.329, permite una ejecución de código remota no autenticada debido a una omisión general en la clase de deserialización An HTTP endpoint used by the Manage Engine OpManager Smart Update Manager component can be leveraged to deserialize an arbitrary Java object. This can be abused by an unauthenticated remote attacker to execute OS commands in the context of the OpManager application. This vulnerability is also present in other products that are built on top of the OpManager application. This vulnerability affects OpManager versions 12.1 through 12.5.328. • http://packetstormsecurity.com/files/164231/ManageEngine-OpManager-SumPDU-Java-Deserialization.html https://www.manageengine.com/network-monitoring/help/read-me-complete.html#125329 • CWE-502: Deserialization of Untrusted Data •