CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2019-16962
https://notcve.org/view.php?id=CVE-2019-16962
Zoho ManageEngine Desktop Central 10.0.430 allows HTML injection via a modified Report Name in a New Custom Report. Zoho ManageEngine Desktop Central versión 10.0.430, permite una inyección de HTML por medio de un Nombre de Reporte modificado en un Nuevo Reporte Personalizado • https://www.esecforte.com/manage-engine-desktopcentral-india-html-injection-vulnerability https://www.manageengine.com/products/desktop-central/download.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.1EPSS: 0%CPEs: 2EXPL: 0CVE-2020-15589
https://notcve.org/view.php?id=CVE-2020-15589
A design issue was discovered in GetInternetRequestHandle, InternetSendRequestEx and InternetSendRequestByBitrate in the client side of Zoho ManageEngine Desktop Central 10.0.552.W and Remote Access Plus before 10.1.2119.1. By exploiting this issue, an attacker-controlled server can force the client to skip TLS certificate validation, leading to a man-in-the-middle attack against HTTPS and unauthenticated remote code execution. Se detectó un problema de diseño en GetInternetRequestHandle, InternetSendRequestEx e InternetSendRequestByBitrate en el lado del cliente de Zoho ManageEngine Desktop Central 10.0.552.W y Remote Access Plus antes de 10.1.2119.1. Aprovechando este problema, un servidor controlado por un atacante puede forzar al cliente a omitir la validación de certificados TLS, lo que lleva a un ataque de tipo man-in-the-middle contra HTTPS y a la ejecución de código remoto no autenticado • https://www.manageengine.com/products/desktop-central https://www.manageengine.com/products/desktop-central/untrusted-agent-server-communication.html •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2020-24397
https://notcve.org/view.php?id=CVE-2020-24397
An issue was discovered in the client side of Zoho ManageEngine Desktop Central 10.0.0.SP-534. An attacker-controlled server can trigger an integer overflow in InternetSendRequestEx and InternetSendRequestByBitrate that leads to a heap-based buffer overflow and Remote Code Execution with SYSTEM privileges. Se detectó un problema en el lado del cliente de Zoho ManageEngine Desktop Central versión 10.0.0.SP-534. Un servidor controlado por un atacante puede desencadenar un desbordamiento de enteros en las funciones InternetSendRequestEx e InternetSendRequestByBitrate que desencadena un desbordamiento del búfer en la región heap de la memoria y una Ejecución de Código Remota con privilegios SYSTEM • https://www.manageengine.com/products/desktop-central https://www.manageengine.com/products/desktop-central/integer-overflow-vulnerability.html • CWE-190: Integer Overflow or Wraparound CWE-787: Out-of-bounds Write •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-15588
https://notcve.org/view.php?id=CVE-2020-15588
An issue was discovered in the client side of Zoho ManageEngine Desktop Central 10.0.552.W. An attacker-controlled server can trigger an integer overflow in InternetSendRequestEx and InternetSendRequestByBitrate that leads to a heap-based buffer overflow and Remote Code Execution with SYSTEM privileges. This issue will occur only when untrusted communication is initiated with server. In cloud, Agent will always connect with trusted communication. Se detectó un problema en el lado del cliente de Zoho ManageEngine Desktop Central versión 10.0.552.W. • https://www.manageengine.com/products/desktop-central/integer-overflow-vulnerability.html • CWE-190: Integer Overflow or Wraparound CWE-787: Out-of-bounds Write •
CVSS: 6.5EPSS: 2%CPEs: 1EXPL: 0CVE-2020-10859
https://notcve.org/view.php?id=CVE-2020-10859
Zoho ManageEngine Desktop Central before 10.0.484 allows authenticated arbitrary file writes during ZIP archive extraction via Directory Traversal in a crafted AppDependency API request. Zoho ManageEngine Desktop Central versiones anteriores a 10.0.484, permite una escritura de archivos arbitrarios autenticados durante una extracción de archivos ZIP por medio de un Salto de Directorio en una petición de la API AppDependency diseñada. • https://www.manageengine.com/products/desktop-central/arbitrary-file-upload-vulnerability.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •