CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2017-10144
https://notcve.org/view.php?id=CVE-2017-10144
Vulnerability in the Oracle Applications Manager component of Oracle E-Business Suite (subcomponent: Oracle Diagnostics Interfaces). The supported version that is affected is 12.1.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Applications Manager. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Applications Manager. CVSS 3.0 Base Score 7.5 (Availability impacts). • http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html http://www.securityfocus.com/bid/99685 http://www.securitytracker.com/id/1038926 •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 1CVE-2016-9488 – ManageEngine Applications Manager versions 12 and 13 suffer from remote SQL injection vulnerabilities
https://notcve.org/view.php?id=CVE-2016-9488
ManageEngine Applications Manager versions 12 and 13 before build 13200 suffer from remote SQL injection vulnerabilities. An unauthenticated attacker is able to access the URL /servlet/MenuHandlerServlet, which is vulnerable to SQL injection. The attacker could extract users' password hashes, which are MD5 hashes without salt, and, depending on the database type and its configuration, could also execute operating system commands using SQL queries. ManageEngine Applications Manager en versiones 12 y 13 anteriores al build 13200 sufre de vulnerabilidades de inyección SQL remota. Un atacante no autenticado puede acceder a la URL /servlet/MenuHandlerServlet, que es vulnerable a la inyección SQL. • https://www.exploit-db.com/exploits/48692 http://packetstormsecurity.com/files/158554/ManageEngine-Applications-Manager-13-SQL-Injection.html http://seclists.org/fulldisclosure/2017/Apr/9 http://www.securityfocus.com/bid/97394 https://packetstormsecurity.com/files/142022/ManageEngine-Applications-Manager-12-13-XSS-SQL-Injection-Code-Execution.html https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2016-9488.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2016-9490 – ManageEngine Applications Manager versions 12 and 13 suffer from a Reflected Cross-Site Scripting vulnerability
https://notcve.org/view.php?id=CVE-2016-9490
ManageEngine Applications Manager versions 12 and 13 before build 13200 suffer from a Reflected Cross-Site Scripting vulnerability. Applications Manager is prone to a Cross-Site Scripting vulnerability in parameter LIMIT, in URL path /DiagAlertAction.do?REQTYPE=AJAX&LIMIT=1233. The URL is also available without authentication. ManageEngine Applications Manager en versiones 12 y 13 antes de la build 13200 sufre de una vulnerabilidad de Cross-Site Scripting (XSS) reflejado. • http://seclists.org/fulldisclosure/2017/Apr/9 http://www.securityfocus.com/bid/97394 https://packetstormsecurity.com/files/142022/ManageEngine-Applications-Manager-12-13-XSS-SQL-Injection-Code-Execution.html https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2016-9490.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.9EPSS: 0%CPEs: 5EXPL: 0CVE-2017-3277 – Oracle E-Business Suite 12.x Unconstrainted File Download
https://notcve.org/view.php?id=CVE-2017-3277
Vulnerability in the Oracle Applications Manager component of Oracle E-Business Suite (subcomponent: OAM Client). Supported versions that are affected are 12.1.3, 12.2.3, 12.2.4, 12.2.5 and 12.2.6. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Applications Manager. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Applications Manager accessible data. CVSS v3.0 Base Score 4.9 (Confidentiality impacts). • http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html http://www.securityfocus.com/bid/95617 http://www.securitytracker.com/id/1037639 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2016-3525
https://notcve.org/view.php?id=CVE-2016-3525
Unspecified vulnerability in the Oracle Applications Manager component in Oracle E-Business Suite 12.1.3 allows remote attackers to affect confidentiality via vectors related to Cookie Management. Vulnerabilidad no especificada en el componente Oracle Applications Manager en Oracle E-Business Suite 12.1.3 permite a atacantes remotos afectar la confidencialidad a través de vectores relacionados con Cookie Management. • http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html http://www.securityfocus.com/bid/91787 http://www.securityfocus.com/bid/91878 http://www.securitytracker.com/id/1036403 •