CVSS: 9.8EPSS: 2%CPEs: 2EXPL: 1CVE-2018-5339
https://notcve.org/view.php?id=CVE-2018-5339
18 Apr 2018 — An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 and 10.0.184: insufficient enforcement of database query type restrictions. Se ha descubierto un problema en Zoho ManageEngine Desktop Central 10.0.124 y 10.0.184 de aplicación insuficiente de restricciones de tipo consulta de base de datos. • https://www.manageengine.com/products/desktop-central/query-restriction-bypass-vulnerability.html • CWE-306: Missing Authentication for Critical Function •
CVSS: 7.2EPSS: 7%CPEs: 2EXPL: 1CVE-2018-5340
https://notcve.org/view.php?id=CVE-2018-5340
18 Apr 2018 — An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 and 10.0.184: database access using a superuser account (specifically, an account with permission to write to the filesystem via SQL queries). Se ha descubierto un problema en Zoho ManageEngine Desktop Central 10.0.124 y 10.0.184 de acceso a la base de datos mediante una cuenta de superusuario (concretamente, una cuenta con permisos para escribir en el sistema de archivos mediante consultas SQL). • https://www.manageengine.com/products/desktop-central/query-restriction-bypass-vulnerability.html •
CVSS: 9.8EPSS: 8%CPEs: 2EXPL: 1CVE-2018-5341
https://notcve.org/view.php?id=CVE-2018-5341
18 Apr 2018 — An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 and 10.0.184: a missing server-side check on the file type/extension when uploading and modifying scripts. Se ha descubierto un problema en Zoho ManageEngine Desktop Central 10.0.124 y 10.0.184 de falta de comprobación del lado del servidor en la extensión/tipo de archivo al subir y modificar scripts. • https://www.manageengine.com/products/desktop-central/elevation-of-privilege-vulnerability.html • CWE-20: Improper Input Validation •
CVSS: 7.2EPSS: 2%CPEs: 2EXPL: 1CVE-2018-5342
https://notcve.org/view.php?id=CVE-2018-5342
18 Apr 2018 — An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 and 10.0.184: network services (Desktop Central and PostgreSQL) running with a superuser account. Se ha descubierto un problema en Zoho ManageEngine Desktop Central 10.0.124 y 10.0.184 de ejecución de servicios de red (Desktop Central y PostgreSQL) con una cuenta de superusuario. • https://www.nccgroup.trust/uk/our-research/technical-advisory-multiple-vulnerabilities-in-manageengine-desktop-central • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 6.1EPSS: 1%CPEs: 1EXPL: 0CVE-2018-8722
https://notcve.org/view.php?id=CVE-2018-8722
15 Mar 2018 — Zoho ManageEngine Desktop Central version 9.1.0 build 91099 has multiple XSS issues that were fixed in build 92026. Zoho ManageEngine Desktop Central, en su versión 9.1.0 build 91099, tiene múltiples problemas de Cross-Site Scripting (XSS) que se solucionaron en la build 92026. • https://www.manageengine.com/products/desktop-central/cross-site-scripting-vulnerability.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 0CVE-2017-16924
https://notcve.org/view.php?id=CVE-2017-16924
19 Feb 2018 — Remote Information Disclosure and Escalation of Privileges in ManageEngine Desktop Central MSP 10.0.137 allows attackers to download unencrypted XML files containing all data for configuration policies via a predictable /client-data/
CVSS: 9.8EPSS: 25%CPEs: 1EXPL: 1CVE-2017-11346 – ManageEngine Desktop Central 10 Build 100087 - Remote Code Execution
https://notcve.org/view.php?id=CVE-2017-11346
16 Jul 2017 — Zoho ManageEngine Desktop Central before build 100092 allows remote attackers to execute arbitrary code via vectors involving the upload of help desk videos. Desktop Central antes del build 100092 de Zoho ManageEngine, permite a los atacantes remotos ejecutar código arbitrario por medio de vectores que involucran la carga de videos de soporte al usuario. • https://www.exploit-db.com/exploits/42358 • CWE-20: Improper Input Validation •
CVSS: 9.8EPSS: 20%CPEs: 1EXPL: 2CVE-2015-2560 – Manage Engine Desktop Central 9 Unauthorized Administrative Password Reset
https://notcve.org/view.php?id=CVE-2015-2560
27 Mar 2015 — Manage Engine Desktop Central 9 before build 90135 allows remote attackers to change passwords of users with the Administrator role via an addOrModifyUser operation to servlets/DCOperationsServlet. El Desktop Central 9 de ManageEngine anterior a Build 90135 permite que atacantes remotos cambien las contraseñas de los usuarios con un rol de administrador mediante una operación addOrModifyUser en servlets/DCOperationsServlet. A remote unauthenticated user can change the password of any Manage Engine Desktop C... • https://packetstorm.news/files/id/131062 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 3CVE-2014-9331 – ManageEngine Desktop Central 9 Build 90087 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2014-9331
03 Feb 2015 — Cross-site request forgery (CSRF) vulnerability in ZOHO ManageEngine Desktop Central before 9 build 90130 allows remote attackers to hijack the authentication of administrators for requests that add an administrator account via an addUser action to STATE_ID/1417736606982/roleMgmt.do. Vulnerabilidad de CSRF en ZOHO ManageEngine Desktop Central anterior a 9 build 90130 permite a atacantes remotos secuestrar la autenticación de administradores para solicitudes que añaden una cuenta de administrador a través de... • https://www.exploit-db.com/exploits/35980 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 1%CPEs: 1EXPL: 0CVE-2014-9371 – ManageEngine Desktop Central MSP NativeAppServlet UDID JSON Object Code Injection Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2014-9371
11 Dec 2014 — The NativeAppServlet in ManageEngine Desktop Central MSP before 90075 allows remote attackers to execute arbitrary code via a crafted JSON object. NativeAppServlet en ManageEngine Desktop Central MSP anterior a 90075 permite a atacantes remotos ejecutar código arbitrario a través de un objeto JSON manipulado. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of ManageEngine Desktop Central MSP. Authentication is not required to exploit this vulnerability. The s... • http://www.zerodayinitiative.com/advisories/ZDI-14-420 • CWE-20: Improper Input Validation •