CVE-2019-7426 – Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2 XSS
https://notcve.org/view.php?id=CVE-2019-7426
XSS exists in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 in the Administration zone "/netflow/jspui/linkdownalertConfig.jsp" file in the groupDesc, groupName, groupID, or task parameter. XSS en Zoho ManageEngine Netflow Analyzer Professional v7.0.0.0.2 en el archivo "/netflow/jspui/linkdownalertConfig.jsp" del groupDesc, groupName, groupID, o parámetro de tarea. Zoho ManageEngine Netflow Analyzer Professional version 7.0.0.2 suffers from multiple cross site scripting vulnerabilities. • http://packetstormsecurity.com/files/151585/Zoho-ManageEngine-Netflow-Analyzer-Professional-7.0.0.2-XSS.html http://seclists.org/fulldisclosure/2019/Feb/29 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-10803
https://notcve.org/view.php?id=CVE-2018-10803
Cross-site scripting (XSS) vulnerability in the add credentials functionality in Zoho ManageEngine NetFlow Analyzer v12.3 before 12.3.125 (build 123125) allows remote attackers to inject arbitrary web script or HTML via a crafted description value. This can be exploited through CSRF. Cross-Site Scripting (XSS) en la funcionalidad de adición de credenciales en Zoho ManageEngine NetFlow Analyzer en versiones v12.3 anteriores a la 12.3.125 (build 123125) permite que atacantes remotos inyecten scripts web o HTML arbitrarios mediante un valor de descripción manipulado. Esto puede explotarse mediante Cross-Site Request Forgery (CSRF). • http://www.securityfocus.com/bid/104251 https://www.manageengine.com/products/netflow/readme.html#123125 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2014-5445 – ManageEngine NetFlow Analyzer CReportPDFServlet schFilePath Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2014-5445
Multiple absolute path traversal vulnerabilities in ZOHO ManageEngine Netflow Analyzer 8.6 through 10.2 and IT360 10.3 allow remote attackers or remote authenticated users to read arbitrary files via a full pathname in the schFilePath parameter to the (1) CSVServlet or (2) CReportPDFServlet servlet. Múltiples vulnerabilidades de recorrido de directorio absoluto en ZOHO ManageEngine Netflow Analyzer 8.6 hasta 10.2 y IT360 10.3 permiten a atacantes remotos o usuarios remotos autenticados leer ficheros arbitrarios a través de un nombre de ruta completo en el parámetro schFilePath en el servlet (1) CSVServlet o (2) CReportPDFServlet. This vulnerability allows remote attackers to disclose files on vulnerable installations of ManageEngine NetFlow Analyzer. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of input to the CReportPDFServlet servlet. The issue lies in the failure to perform any validation of the input filename. • https://www.exploit-db.com/exploits/43895 http://packetstormsecurity.com/files/129336/ManageEngine-Netflow-Analyzer-IT360-File-Download.html http://seclists.org/fulldisclosure/2014/Dec/9 http://www.securityfocus.com/archive/1/534122/100/0/threaded http://www.securityfocus.com/archive/1/534141/100/0/threaded http://www.securityfocus.com/bid/71404 https://exchange.xforce.ibmcloud.com/vulnerabilities/99045 https://github.com/rapid7/metasploit-framework/pull/4282 https://raw.githubusercontent.com • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2014-5446 – ManageEngine Netflow Analyzer / IT360 - Arbitrary File Download
https://notcve.org/view.php?id=CVE-2014-5446
Directory traversal vulnerability in the DisplayChartPDF servlet in ZOHO ManageEngine Netflow Analyzer 8.6 through 10.2 and IT360 10.3 allows remote attackers and remote authenticated users to read arbitrary files via a .. (dot dot) in the filename parameter. Vulnerabilidad de salto de directorio en el servlet DisplayChartPDF en ZOHO ManageEngine Netflow Analyzer 8.6 hasta 10.2 y IT360 10.3 permite a atacantes remotos o usuarios remotos autenticados leer ficheros arbitrarios a través de un .. (punto punto) en el parámetro filename. ManageEngine Netflow Analyzer and IT360 suffer from an arbitrary file download vulnerability. • https://www.exploit-db.com/exploits/43895 http://packetstormsecurity.com/files/129336/ManageEngine-Netflow-Analyzer-IT360-File-Download.html http://seclists.org/fulldisclosure/2014/Dec/9 http://www.securityfocus.com/archive/1/534122/100/0/threaded http://www.securityfocus.com/archive/1/534141/100/0/threaded http://www.securityfocus.com/bid/71404 https://exchange.xforce.ibmcloud.com/vulnerabilities/99046 https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_netflow_it360_file_dl.txt • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2007-3593 – NetFlow Analyzer 5 - '/jspui/appConfig.jsp?task' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2007-3593
Multiple cross-site scripting (XSS) vulnerabilities in ManageEngine NetFlow Analyzer 5 allow remote attackers to inject arbitrary web script or HTML via the (1) alpha parameter in (a) netflow/jspui/applicationList.jsp, the (2) task parameter in (b) netflow/jspui/appConfig.jsp, the (3) view parameter in (c) netflow/jspui/index.jsp, and the (4) rtype parameter in (d) netflow/jspui/selectDevice.jsp and (e) netflow/jspui/customReport.jsp. NOTE: it was later reported that vector 3 also affects 7.5 build 7500. Múltiples vulnerabilidades de tipo cross-site scripting (XSS) en ManageEngine NetFlow Analyzer versión 5, permite a atacantes remotos inyectar script web o HTML arbitrario por medio del parámetro (1) alpha en (a) el archivo netflow/jspui/applicationList.jsp, el (2) parámetro task en (b) el archivo netflow/jspui/appConfig.jsp, el (3) parámetro view en (c) el archivo netflow/jspui/index.jsp, y el (4) parámetro rtype en (d) los archivos netflow/jspui/selectDevice.jsp y (e) netflow/jspui/customReport.jsp. NOTA: fue reportado mas tarde que el vector 3 también afecta a la versión 7.5 build 7500. • https://www.exploit-db.com/exploits/30267 https://www.exploit-db.com/exploits/30266 https://www.exploit-db.com/exploits/30270 https://www.exploit-db.com/exploits/30268 https://www.exploit-db.com/exploits/30269 http://lostmon.blogspot.com/2007/07/netflow-analizer-5-opmanager-7-multiple.html http://osvdb.org/37826 http://osvdb.org/37827 http://osvdb.org/37828 http://osvdb.org/37829 http://osvdb.org/37830 http://secunia.com/advisories/25947 http://www • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •