CVSS: 6.1EPSS: 1%CPEs: 1EXPL: 4CVE-2018-12996 – Zoho ManageEngine 13 (13790 build) XSS / File Read / File Deletion
https://notcve.org/view.php?id=CVE-2018-12996
29 Jun 2018 — A reflected Cross-site scripting (XSS) vulnerability in Zoho ManageEngine Applications Manager before 13 (Build 13800) allows remote attackers to inject arbitrary web script or HTML via the parameter 'method' to GraphicalView.do. Una vulnerabilidad de Cross-Site Scripting (XSS) reflejado en versiones anteriores a la 13 (Build 13800) de Zoho ManageEngine Applications Manager permite a atacantes remotos inyectar scripts web o HTML arbitrarios mediante el parámetro "method" en GraphicalView.do. Zoho ManageEngi... • https://packetstorm.news/files/id/148635 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 6%CPEs: 1EXPL: 0CVE-2018-11808
https://notcve.org/view.php?id=CVE-2018-11808
06 Jun 2018 — Incorrect Access Control in CustomFieldsFeedServlet in Zoho ManageEngine Applications Manager Version 13 before build 13740 allows an attacker to delete any file and read certain files on the server in the context of the user (which by default is "NT AUTHORITY / SYSTEM") by sending a specially crafted request to the server. Control de acceso incorrecto en CustomFieldsFeedServlet en ManageEngine Applications Manager, en las versiones 13 anteriores a la build 13740, permite que un atacante elimine cualquier a... • http://www.securityfocus.com/bid/104467 • CWE-20: Improper Input Validation •
CVSS: 10.0EPSS: 87%CPEs: 1EXPL: 5CVE-2018-7890 – ManageEngine Applications Manager 13.5 - Remote Code Execution
https://notcve.org/view.php?id=CVE-2018-7890
08 Mar 2018 — A remote code execution issue was discovered in Zoho ManageEngine Applications Manager before 13.6 (build 13640). The publicly accessible testCredential.do endpoint takes multiple user inputs and validates supplied credentials by accessing a specified system. This endpoint calls several internal classes, and then executes a PowerShell script. If the specified system is OfficeSharePointServer, then the username and password parameters to this script are not validated, leading to Command Injection. Se ha desc... • https://packetstorm.news/files/id/146951 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.8EPSS: 12%CPEs: 1EXPL: 0CVE-2017-16846
https://notcve.org/view.php?id=CVE-2017-16846
16 Nov 2017 — Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /manageApplications.do?method=AddSubGroup haid parameter. Zoho ManageEngine Applications Manager 13 antes de la build 13530 permite una inyección SQL mediante el parámetro haid en /manageApplications.do?method=AddSubGroup. • http://code610.blogspot.com/2017/11/more-sql-injections-in-manageengine.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 12%CPEs: 1EXPL: 0CVE-2017-16847
https://notcve.org/view.php?id=CVE-2017-16847
16 Nov 2017 — Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /showresource.do resourceid parameter in a showPlasmaView action. Zoho ManageEngine Applications Manager 13 antes de la build 13530 permite una inyección SQL mediante el parámetro resourceid en /showresource.do en una acción showPlasmaView. • http://code610.blogspot.com/2017/11/more-sql-injections-in-manageengine.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 9%CPEs: 1EXPL: 0CVE-2017-16848
https://notcve.org/view.php?id=CVE-2017-16848
16 Nov 2017 — Zoho ManageEngine Applications Manager 13 allows SQL injection via the /manageConfMons.do groupname parameter. Zoho ManageEngine Applications Manager 13 permite inyección SQL mediante el parámetro groupname en /manageConfMons.do. • http://code610.blogspot.com/2017/11/more-sql-injections-in-manageengine.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 12%CPEs: 1EXPL: 0CVE-2017-16849
https://notcve.org/view.php?id=CVE-2017-16849
16 Nov 2017 — Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /MyPage.do?method=viewDashBoard forpage parameter. Zoho ManageEngine Applications Manager 13 antes de la build 13530 permite una inyección SQL mediante el parámetro forpage en /MyPage.do?method=viewDashBoard. • http://code610.blogspot.com/2017/11/more-sql-injections-in-manageengine.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 12%CPEs: 1EXPL: 0CVE-2017-16850
https://notcve.org/view.php?id=CVE-2017-16850
16 Nov 2017 — Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /showresource.do resourceid parameter in a getResourceProfiles action. Zoho ManageEngine Applications Manager 13 antes de la build 13530 permite una inyección SQL mediante el parámetro resourceid en /showresource.do en una acción getResourceProfiles. • http://code610.blogspot.com/2017/11/more-sql-injections-in-manageengine.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 12%CPEs: 1EXPL: 0CVE-2017-16851
https://notcve.org/view.php?id=CVE-2017-16851
16 Nov 2017 — Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /MyPage.do widgetid parameter. Zoho ManageEngine Applications Manager 13 antes de la build 13530 permite una inyección SQL mediante el parámetro widgetid en /MyPage.do. • http://code610.blogspot.com/2017/11/more-sql-injections-in-manageengine.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 3%CPEs: 1EXPL: 2CVE-2017-16542 – ManageEngine Applications Manager 13 - SQL Injection
https://notcve.org/view.php?id=CVE-2017-16542
05 Nov 2017 — Zoho ManageEngine Applications Manager 13 before build 13500 allows Post-authentication SQL injection via the name parameter in a manageApplications.do?method=insert request. Zoho ManageEngine Applications Manager 13 antes de la build 13500 permite una inyección SQL postautenticación mediante el parámetro name en una petición manageApplications.do?method=insert. Zoho ManageEngine Applications Manager version 13 suffers from multiple post-authentication remote SQL injection vulnerabilities. • https://packetstorm.news/files/id/144892 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •