Page 3 of 29 results (0.016 seconds)

CVSS: 9.8EPSS: 43%CPEs: 66EXPL: 1

Zoho ManageEngine OpManager before 12.5.329 allows unauthenticated Remote Code Execution due to a general bypass in the deserialization class. Zoho ManageEngine OpManager versiones anteriores a 12.5.329, permite una ejecución de código remota no autenticada debido a una omisión general en la clase de deserialización An HTTP endpoint used by the Manage Engine OpManager Smart Update Manager component can be leveraged to deserialize an arbitrary Java object. This can be abused by an unauthenticated remote attacker to execute OS commands in the context of the OpManager application. This vulnerability is also present in other products that are built on top of the OpManager application. This vulnerability affects OpManager versions 12.1 through 12.5.328. • http://packetstormsecurity.com/files/164231/ManageEngine-OpManager-SumPDU-Java-Deserialization.html https://www.manageengine.com/network-monitoring/help/read-me-complete.html#125329 • CWE-502: Deserialization of Untrusted Data •

CVSS: 9.4EPSS: 14%CPEs: 71EXPL: 1

Manage Engine OpManager builds below 125346 are vulnerable to a remote denial of service vulnerability due to a path traversal issue in spark gateway component. This allows a remote attacker to remotely delete any directory or directories on the OS. Las compilaciones de Manage Engine OpManager por debajo de 125346, son vulnerables a una vulnerabilidad de denegación de servicio remota debido a un problema de salto de ruta en el componente spark gateway. Esto permite que un atacante remoto elimine remotamente cualquier directorio o directorios del sistema operativo. • https://www.tenable.com/security/research/tra-2021-10 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVSS: 9.8EPSS: 63%CPEs: 59EXPL: 3

Zoho ManageEngine OpManager Stable build before 125203 (and Released build before 125233) allows Remote Code Execution via the Smart Update Manager (SUM) servlet. Zoho ManageEngine OpManager Stable build anterior a 125203 (y compilación Publicada anterior a 125233) permite una ejecución de código remota por medio del servlet Smart Update Manager (SUM) An HTTP endpoint used by the Manage Engine OpManager Smart Update Manager component can be leveraged to deserialize an arbitrary Java object. This can be abused by an unauthenticated remote attacker to execute OS commands in the context of the OpManager application. This vulnerability is also present in other products that are built on top of the OpManager application. This vulnerability affects OpManager versions 12.1 through 12.5.328. • https://github.com/tuo4n8/CVE-2020-28653 https://github.com/mr-r3bot/ManageEngine-CVE-2020-28653 http://packetstormsecurity.com/files/164231/ManageEngine-OpManager-SumPDU-Java-Deserialization.html https://www.manageengine.com/network-monitoring/help/read-me-complete.html#125203 https://www.manageengine.com/network-monitoring/help/read-me-complete.html#125233 •

CVSS: 7.5EPSS: 20%CPEs: 26EXPL: 0

In Zoho ManageEngine OpManager before 125144, when <cachestart> is used, directory traversal validation can be bypassed. En Zoho ManageEngine OpManager versiones anteriores a 125144, cuando es usado (cachestart), una comprobación de salto de directorio puede ser omitida This vulnerability allows remote attackers to disclose sensitive information on affected installations of ManageEngine OpManager. Authentication is not required to exploit this vulnerability. The specific flaw exists within the OpmSkipFilter class. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose files in the context of the service account. • https://www.manageengine.com/network-monitoring/help/read-me-complete.html https://www.zerodayinitiative.com/advisories/ZDI-20-691 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVSS: 7.5EPSS: 97%CPEs: 80EXPL: 1

Zoho ManageEngine OpManager Stable build before 124196 and Released build before 125125 allows an unauthenticated attacker to read arbitrary files on the server by sending a crafted request. Zoho ManageEngine OpManager Stable build anterior a 124196 y Released build anterior a 125125, permite a un atacante no autenticado leer archivos arbitrarios en el servidor mediante el envío de una petición diseñada. • https://github.com/BeetleChunks/CVE-2020-12116 https://www.manageengine.com/network-monitoring/help/read-me-complete.html https://www.manageengine.com/network-monitoring/help/read-me-complete.html#125125 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •