CVSS: 7.2EPSS: 14%CPEs: 87EXPL: 2CVE-2020-14008 – ManageEngine Applications Manager 14700 - Remote Code Execution (Authenticated)
https://notcve.org/view.php?id=CVE-2020-14008
Zoho ManageEngine Applications Manager 14710 and before allows an authenticated admin user to upload a vulnerable jar in a specific location, which leads to remote code execution. Zoho ManageEngine Applications Manager versiones 14710 y anteriores, permite a un usuario administrador autenticado cargar un jar vulnerable en una ubicación específica, lo que conlleva a una ejecución de código remota • https://www.exploit-db.com/exploits/48793 http://packetstormsecurity.com/files/159066/ManageEngine-Applications-Manager-Authenticated-Remote-Code-Execution.html https://www.manageengine.com https://www.manageengine.com/products/applications_manager/issues.html#14730 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 5.3EPSS: 0%CPEs: 11EXPL: 1CVE-2019-19799
https://notcve.org/view.php?id=CVE-2019-19799
Zoho ManageEngine Applications Manager before 14600 allows a remote unauthenticated attacker to disclose license related information via WieldFeedServlet servlet. Zoho ManageEngine Applications Manager anterior a la versión 14600 permite que un atacante remoto no autenticado revele información relacionada con la licencia a través del servlet WieldFeedServlet. • https://gitlab.com/eLeN3Re/cve-2019-19799 https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2019-19799.html • CWE-306: Missing Authentication for Critical Function •
CVSS: 5.3EPSS: 0%CPEs: 61EXPL: 0CVE-2019-19800
https://notcve.org/view.php?id=CVE-2019-19800
Zoho ManageEngine Applications Manager 14 before 14520 allows a remote unauthenticated attacker to disclose OS file names via FailOverHelperServlet. Zoho ManageEngine Applications Manager 14 versiones anteriores a 14520, permite a un atacante remoto no autenticado revelar nombres de archivos del Sistema Operativo por medio de FailOverHelperServlet. • https://gitlab.com/eLeN3Re/CVE-2019-19800 https://www.manageengine.com https://www.manageengine.com/products/applications_manager/release-notes.html • CWE-306: Missing Authentication for Critical Function •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2019-19475
https://notcve.org/view.php?id=CVE-2019-19475
An issue was discovered in ManageEngine Applications Manager 14 with Build 14360. Integrated PostgreSQL which is built-in in Applications Manager is prone to attack due to lack of file permission security. The malicious users who are in “Authenticated Users” group can exploit privilege escalation and modify PostgreSQL configuration to execute arbitrary command to escalate and gain full system privilege user access and rights over the system. Se descubrió un problema en ManageEngine Applications Manager 14 con Build 14360. El PostgreSQL integrado que está incorporado en el Administrador de aplicaciones es propenso a ataques debido a la falta de seguridad de permisos de archivos. • https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2019-19475.html • CWE-276: Incorrect Default Permissions •
CVSS: 9.8EPSS: 3%CPEs: 1EXPL: 0CVE-2019-19649
https://notcve.org/view.php?id=CVE-2019-19649
Zoho ManageEngine Applications Manager before 13620 allows a remote unauthenticated SQL injection via the SyncEventServlet eventid parameter to the SyncEventServlet.java doGet function. Zoho ManageEngine Applications Manager versiones anteriores a 13620, permite una inyección SQL no autenticada remota por medio del parámetro eventid de SyncEventServlet en la función doGet del archivo SyncEventServlet.java. • https://gitlab.com/eLeN3Re/CVE-2019-19649 https://www.manageengine.com/products/applications_manager/release-notes.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •