Page 4 of 19 results (0.007 seconds)

CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 2

An issue was discovered in Zoho ManageEngine OpManager through 12.4x. There is a SQL Injection vulnerability in jsp/NewThresholdConfiguration.jsp via the resourceid parameter. Therefore, a low-authority user can gain the authority of SYSTEM on the server. One can consequently upload a malicious file using the "Execute Program Action(s)" feature. Se detectó un problema en Zoho ManageEngine OpManager versiones hasta 12.4x. • https://www.exploit-db.com/exploits/47227 http://pentest.com.tr/exploits/DEFCON-ManageEngine-OpManager-v12-4-Privilege-Escalation-Remote-Command-Execution.html https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2019-15104.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 2

An issue was discovered in Zoho ManageEngine Application Manager through 14.2. There is a SQL Injection vulnerability in jsp/NewThresholdConfiguration.jsp via the resourceid parameter. Therefore, a low-authority user can gain the authority of SYSTEM on the server. One can consequently upload a malicious file using the "Execute Program Action(s)" feature. Se detectó un problema en Zoho ManageEngine Application Manager versiones hasta 14.2. • https://www.exploit-db.com/exploits/47228 http://pentest.com.tr/exploits/DEFCON-ManageEngine-APM-v14-Privilege-Escalation-Remote-Command-Execution.html https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2019-15105.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 3

Zoho ManageEngine Applications Manager 12 through 14 allows FaultTemplateOptions.jsp resourceid SQL injection. Subsequently, an unauthenticated user can gain the authority of SYSTEM on the server by uploading a malicious file via the "Execute Program Action(s)" feature. Zoho ManageEngine Applications Manager, versiones desde 12 hasta 14, permite la inyección de SQL del resourceid FaultTemplateOptions.jsp. Posteriormente, un usuario no autenticado puede obtener la autoridad de SYSTEM en el servidor cargando un archivo malicioso a través de la función "Ejecutar acción(es) de programa". • https://www.exploit-db.com/exploits/46740 http://packetstormsecurity.com/files/152607/ManageEngine-Applications-Manager-14.0-SQL-Injection-Command-Injection.html https://pentest.com.tr/exploits/ManageEngine-App-Manager-14-Auth-Bypass-Remote-Command-Execution.html https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2019-11469.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 2

An issue was discovered in Zoho ManageEngine Applications Manager 11.0 through 14.0. An unauthenticated user can gain the authority of SYSTEM on the server due to a Popup_SLA.jsp sid SQL injection vulnerability. For example, the attacker can subsequently write arbitrary text to a .vbs file. Se ha descubierto un problema en Zoho ManageEngine Applications Manager 11.0 hasta 14.0. Un usuario no autenticado puede obtener la autoridad de SYSTEM en el servidor debido a una vulnerabilidad SQL injection en Popup_SLA.jsp. • https://www.exploit-db.com/exploits/46725 https://pentest.com.tr/exploits/ManageEngine-App-Manager-14-SQLi-Remote-Code-Execution.html https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2019-11448.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •