CVE-2020-11527
https://notcve.org/view.php?id=CVE-2020-11527
In Zoho ManageEngine OpManager before 12.4.181, an unauthenticated remote attacker can send a specially crafted URI to read arbitrary files. En Zoho ManageEngine OpManager versiones anteriores a 12.4.181, un atacante remoto no autenticado puede enviar un URI especialmente diseñado para leer archivos arbitrarios. • https://www.manageengine.com/network-monitoring/help/read-me-complete.html#124181 •
CVE-2020-10541
https://notcve.org/view.php?id=CVE-2020-10541
Zoho ManageEngine OpManager before 12.4.179 allows remote code execution via a specially crafted Mail Server Settings v1 API request. This was fixed in 12.5.108. Zoho ManageEngine OpManager versiones anteriores a 12.4.179, permite una ejecución de código remota por medio de una petición especialmente diseñada de la API Mail Server Settings v1. Esto fue corregido en la versión 12.5.108. • https://www.manageengine.com/network-monitoring/help/read-me-complete.html#125108 •
CVE-2019-17421
https://notcve.org/view.php?id=CVE-2019-17421
Incorrect file permissions on the packaged Nipper executable file in Zoho ManageEngine OpManager 12.4.072 and Firewall Analyzer 12.4.072 allow local users to elevate privileges to root by overwriting this file with a malicious payload. Los permisos de archivo incorrectos en el archivo ejecutable Nipper empaquetado en Zoho ManageEngine OpManager versión 12.4.072 y Firewall Analyzer versión 12.4.072, permiten a usuarios locales elevar los privilegios de root al sobrescribir este archivo con una carga maliciosa. • https://blog.vastart.dev/2019/11/cve-2019-17421-privilege-escalation.html https://twitter.com/va_start https://www.manageengine.com/products/firewall/security-updates/cve-2019-17421.html • CWE-276: Incorrect Default Permissions •
CVE-2019-17602
https://notcve.org/view.php?id=CVE-2019-17602
An issue was discovered in Zoho ManageEngine OpManager before 12.4 build 124089. The OPMDeviceDetailsServlet servlet is prone to SQL injection. Depending on the configuration, this vulnerability could be exploited unauthenticated or authenticated. Se detectó un problema en Zoho ManageEngine OpManager versiones anteriores a 12.4 build 124089. El servlet OPMDeviceDetailsServlet es propenso a la inyección SQL. • https://www.manageengine.com/network-monitoring/help/read-me-complete.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2019-15106 – ManageEngine OpManager 12.4x - Unauthenticated Remote Command Execution
https://notcve.org/view.php?id=CVE-2019-15106
An issue was discovered in Zoho ManageEngine OpManager in builds before 14310. One can bypass the user password requirement and execute commands on the server. The "username+'@opm' string is used for the password. For example, if the username is admin, the password is admin@opm. Se ha detectado un problema en Zoho ManageEngine OpManager en compilaciones anteriores a 14310. • https://www.exploit-db.com/exploits/47229 http://pentest.com.tr/exploits/DEFCON-ManageEngine-OpManager-v12-4-Unauthenticated-Remote-Command-Execution.html https://www.manageengine.com/network-monitoring/security-updates/cve-2019-15106.html https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2019-15106.html • CWE-306: Missing Authentication for Critical Function •