CVE-2019-7426 – Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2 XSS
https://notcve.org/view.php?id=CVE-2019-7426
XSS exists in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 in the Administration zone "/netflow/jspui/linkdownalertConfig.jsp" file in the groupDesc, groupName, groupID, or task parameter. XSS en Zoho ManageEngine Netflow Analyzer Professional v7.0.0.0.2 en el archivo "/netflow/jspui/linkdownalertConfig.jsp" del groupDesc, groupName, groupID, o parámetro de tarea. Zoho ManageEngine Netflow Analyzer Professional version 7.0.0.2 suffers from multiple cross site scripting vulnerabilities. • http://packetstormsecurity.com/files/151585/Zoho-ManageEngine-Netflow-Analyzer-Professional-7.0.0.2-XSS.html http://seclists.org/fulldisclosure/2019/Feb/29 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-10803
https://notcve.org/view.php?id=CVE-2018-10803
Cross-site scripting (XSS) vulnerability in the add credentials functionality in Zoho ManageEngine NetFlow Analyzer v12.3 before 12.3.125 (build 123125) allows remote attackers to inject arbitrary web script or HTML via a crafted description value. This can be exploited through CSRF. Cross-Site Scripting (XSS) en la funcionalidad de adición de credenciales en Zoho ManageEngine NetFlow Analyzer en versiones v12.3 anteriores a la 12.3.125 (build 123125) permite que atacantes remotos inyecten scripts web o HTML arbitrarios mediante un valor de descripción manipulado. Esto puede explotarse mediante Cross-Site Request Forgery (CSRF). • http://www.securityfocus.com/bid/104251 https://www.manageengine.com/products/netflow/readme.html#123125 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2014-5445 – ManageEngine NetFlow Analyzer CReportPDFServlet schFilePath Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2014-5445
Multiple absolute path traversal vulnerabilities in ZOHO ManageEngine Netflow Analyzer 8.6 through 10.2 and IT360 10.3 allow remote attackers or remote authenticated users to read arbitrary files via a full pathname in the schFilePath parameter to the (1) CSVServlet or (2) CReportPDFServlet servlet. Múltiples vulnerabilidades de recorrido de directorio absoluto en ZOHO ManageEngine Netflow Analyzer 8.6 hasta 10.2 y IT360 10.3 permiten a atacantes remotos o usuarios remotos autenticados leer ficheros arbitrarios a través de un nombre de ruta completo en el parámetro schFilePath en el servlet (1) CSVServlet o (2) CReportPDFServlet. This vulnerability allows remote attackers to disclose files on vulnerable installations of ManageEngine NetFlow Analyzer. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of input to the CReportPDFServlet servlet. The issue lies in the failure to perform any validation of the input filename. • https://www.exploit-db.com/exploits/43895 http://packetstormsecurity.com/files/129336/ManageEngine-Netflow-Analyzer-IT360-File-Download.html http://seclists.org/fulldisclosure/2014/Dec/9 http://www.securityfocus.com/archive/1/534122/100/0/threaded http://www.securityfocus.com/archive/1/534141/100/0/threaded http://www.securityfocus.com/bid/71404 https://exchange.xforce.ibmcloud.com/vulnerabilities/99045 https://github.com/rapid7/metasploit-framework/pull/4282 https://raw.githubusercontent.com • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2014-5446 – ManageEngine Netflow Analyzer / IT360 - Arbitrary File Download
https://notcve.org/view.php?id=CVE-2014-5446
Directory traversal vulnerability in the DisplayChartPDF servlet in ZOHO ManageEngine Netflow Analyzer 8.6 through 10.2 and IT360 10.3 allows remote attackers and remote authenticated users to read arbitrary files via a .. (dot dot) in the filename parameter. Vulnerabilidad de salto de directorio en el servlet DisplayChartPDF en ZOHO ManageEngine Netflow Analyzer 8.6 hasta 10.2 y IT360 10.3 permite a atacantes remotos o usuarios remotos autenticados leer ficheros arbitrarios a través de un .. (punto punto) en el parámetro filename. ManageEngine Netflow Analyzer and IT360 suffer from an arbitrary file download vulnerability. • https://www.exploit-db.com/exploits/43895 http://packetstormsecurity.com/files/129336/ManageEngine-Netflow-Analyzer-IT360-File-Download.html http://seclists.org/fulldisclosure/2014/Dec/9 http://www.securityfocus.com/archive/1/534122/100/0/threaded http://www.securityfocus.com/archive/1/534141/100/0/threaded http://www.securityfocus.com/bid/71404 https://exchange.xforce.ibmcloud.com/vulnerabilities/99046 https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_netflow_it360_file_dl.txt • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2007-3594 – OpManager 6/7 - '/admin/DeviceAssociation.do' Multiple Cross-Site Scripting Vulnerabilities
https://notcve.org/view.php?id=CVE-2007-3594
Multiple cross-site scripting (XSS) vulnerabilities in AdventNet ManageEngine OpManager 6 and 7 allow remote attackers to inject arbitrary web script or HTML via the (1) name parameter in (a) ping.do and (b) traceRoute.do in map/; the (2) reportName, (3) displayName, and (4) selectedNode parameters to (c) reports/ReportViewAction.do; the (5) operation parameter to (d) admin/ServiceConfiguration.do; and the (6) selectedNode and (7) selectedTab parameters to (e) admin/DeviceAssociation.do. NOTE: the searchTerm parameter in Search.do is already covered by CVE-2006-2343. Múltiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en AdventNet ManageEngine OpManager 6 y 7 permiten a atacantes remotos inyectar scripts web o HTML de su elección mediante (1) parámetro name en (a) ping.do y (b) traceRoute.do en map/; parámetros (2) reportName, (3) displayName, y (4) selectedNode en (c) reports/ReportViewAction.do; (5) parámetro operation en (d) admin/ServiceConfiguration.do; y parámetros (6) selectedNode y (7) selectedTab en (e) admin/DeviceAssociation.do. NOTE: el parámetro searchTerm en Search.do ya está cubierto en CVE-2006-2343. • https://www.exploit-db.com/exploits/30275 https://www.exploit-db.com/exploits/30274 https://www.exploit-db.com/exploits/30271 https://www.exploit-db.com/exploits/30272 https://www.exploit-db.com/exploits/30273 http://lostmon.blogspot.com/2007/07/netflow-analizer-5-opmanager-7-multiple.html http://osvdb.org/37821 http://osvdb.org/37822 http://osvdb.org/37823 http://osvdb.org/37824 http://osvdb.org/37825 http://osvdb.org/38945 http://osvdb.org/3894 •