CVSS: 6.5EPSS: 1%CPEs: 2EXPL: 7CVE-2014-6043 – ManageEngine EventLog Analyzer - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2014-6043
ZOHO ManageEngine EventLog Analyzer 9.0 build 9002 and 8.2 build 8020 does not properly restrict access to the database browser, which allows remote authenticated users to obtain access to the database via a direct request to event/runQuery.do. Fixed in Build 10000. ZOHO ManageEngine EventLog Analyzer 9.0 build 9002 y 8.2 build 8020 no restringe correctamente el acceso al navegador de la base de datos, lo que permite a los usuarios autenticados remotos obtener acceso a la base de datos a través de una solicitud directa a event / runQuery.do. Corregido en Build 10000. • https://www.exploit-db.com/exploits/34519 http://packetstormsecurity.com/files/128102/ManageEngine-EventLog-Analyzer-9.9-Authorization-Code-Execution.html http://seclists.org/fulldisclosure/2014/Aug/86 http://seclists.org/fulldisclosure/2014/Sep/19 http://www.exploit-db.com/exploits/34519 http://www.securityfocus.com/bid/69482 https://www.mogwaisecurity.de/advisories/MSA-2014-01.txt • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 10.0EPSS: 96%CPEs: 2EXPL: 10CVE-2014-6037 – ManageEngine EventLog Analyzer UploadHandlerServlet File Upload Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2014-6037
Directory traversal vulnerability in the agentUpload servlet in ZOHO ManageEngine EventLog Analyzer 9.0 build 9002 and 8.2 build 8020 allows remote attackers to execute arbitrary code by uploading a ZIP file which contains an executable file with .. (dot dot) sequences in its name, then accessing the executable via a direct request to the file under the web root. Fixed in Build 11072. La vulnerabilidad transversal del directorio en el servlet agentUpload en ZOHO ManageEngine EventLog Analyzer 9.0 build 9002 y 8.2 build 8020 permite a los atacantes remotos ejecutar código arbitrario al cargar un archivo ZIP que contiene un archivo ejecutable con secuencias .. (punto punto) en su nombre, y luego acceder el ejecutable a través de una solicitud directa al archivo bajo la raíz web. • https://www.exploit-db.com/exploits/34519 https://www.exploit-db.com/exploits/34670 http://osvdb.org/show/osvdb/110642 http://packetstormsecurity.com/files/128102/ManageEngine-EventLog-Analyzer-9.9-Authorization-Code-Execution.html http://seclists.org/fulldisclosure/2014/Aug/86 http://seclists.org/fulldisclosure/2014/Sep/1 http://seclists.org/fulldisclosure/2014/Sep/19 http://seclists.org/fulldisclosure/2014/Sep/20 http://www.exploit-db.com/exploits/34519 http://www.securityfocus. • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2014-4930
https://notcve.org/view.php?id=CVE-2014-4930
Multiple cross-site scripting (XSS) vulnerabilities in event/index2.do in ManageEngine EventLog Analyzer before 9.0 build 9002 allow remote attackers to inject arbitrary web script or HTML via the (1) width, (2) height, (3) url, (4) helpP, (5) tab, (6) module, (7) completeData, (8) RBBNAME, (9) TC, (10) rtype, (11) eventCriteria, (12) q, (13) flushCache, or (14) product parameter. Fixed in Build 11072. Múltiples vulnerabilidades de cross-site scripting (XSS) en event / index2.do en ManageEngine EventLog Analyzer anterior a la versión 9.0, compilación 9002, permiten a los atacantes remotos inyectar script web arbitrario o HTML a través del (1) ancho, (2) altura, (3) url (4) helpP, (5) pestaña, (6) módulo, (7) completeData, (8) RBBNAME, (9) TC, (10) rtype, (11) eventCriteria, (12) q, (13) flushCache, o (14) parámetro del producto. Corregido en Build 11072. • http://packetstormsecurity.com/files/128012/ManageEngine-EventLog-Analyzer-7-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2014/Aug/74 http://www.securityfocus.com/bid/69420 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2014-5103
https://notcve.org/view.php?id=CVE-2014-5103
Cross-site scripting (XSS) vulnerability in ZOHO ManageEngine EventLog Analyzer 9 build 9000 allows remote attackers to inject arbitrary web script or HTML via the j_username parameter to event/j_security_check. Fixed in Version 10 Build 10000. La vulnerabilidad de secuencias Cross-site scripting (XSS) en ZOHO ManageEngine EventLog Analyzer 9 build 9000 permite a los atacantes remotos inyectar secuencias de comandos web arbitrarias o HTML a través del parámetro j_username en event / j_security_check. Corregido en la Versión 10 Build 10000. • http://packetstormsecurity.com/files/127568/EventLog-Analyzer-9.0-Build-9000-Cross-Site-Scripting.html http://www.securityfocus.com/archive/1/532856/100/0/threaded http://www.securityfocus.com/bid/68854 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •