CVSS: 9.4EPSS: 14%CPEs: 71EXPL: 1CVE-2021-20078
https://notcve.org/view.php?id=CVE-2021-20078
Manage Engine OpManager builds below 125346 are vulnerable to a remote denial of service vulnerability due to a path traversal issue in spark gateway component. This allows a remote attacker to remotely delete any directory or directories on the OS. Las compilaciones de Manage Engine OpManager por debajo de 125346, son vulnerables a una vulnerabilidad de denegación de servicio remota debido a un problema de salto de ruta en el componente spark gateway. Esto permite que un atacante remoto elimine remotamente cualquier directorio o directorios del sistema operativo. • https://www.tenable.com/security/research/tra-2021-10 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 63%CPEs: 59EXPL: 3CVE-2020-28653 – ManageEngine OpManager SumPDU Java Deserialization
https://notcve.org/view.php?id=CVE-2020-28653
Zoho ManageEngine OpManager Stable build before 125203 (and Released build before 125233) allows Remote Code Execution via the Smart Update Manager (SUM) servlet. Zoho ManageEngine OpManager Stable build anterior a 125203 (y compilación Publicada anterior a 125233) permite una ejecución de código remota por medio del servlet Smart Update Manager (SUM) An HTTP endpoint used by the Manage Engine OpManager Smart Update Manager component can be leveraged to deserialize an arbitrary Java object. This can be abused by an unauthenticated remote attacker to execute OS commands in the context of the OpManager application. This vulnerability is also present in other products that are built on top of the OpManager application. This vulnerability affects OpManager versions 12.1 through 12.5.328. • https://github.com/tuo4n8/CVE-2020-28653 https://github.com/mr-r3bot/ManageEngine-CVE-2020-28653 http://packetstormsecurity.com/files/164231/ManageEngine-OpManager-SumPDU-Java-Deserialization.html https://www.manageengine.com/network-monitoring/help/read-me-complete.html#125203 https://www.manageengine.com/network-monitoring/help/read-me-complete.html#125233 •
CVSS: 7.5EPSS: 20%CPEs: 26EXPL: 0CVE-2020-13818 – ManageEngine OpManager OpmSkipFilter Directory Traversal Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2020-13818
In Zoho ManageEngine OpManager before 125144, when <cachestart> is used, directory traversal validation can be bypassed. En Zoho ManageEngine OpManager versiones anteriores a 125144, cuando es usado (cachestart), una comprobación de salto de directorio puede ser omitida This vulnerability allows remote attackers to disclose sensitive information on affected installations of ManageEngine OpManager. Authentication is not required to exploit this vulnerability. The specific flaw exists within the OpmSkipFilter class. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose files in the context of the service account. • https://www.manageengine.com/network-monitoring/help/read-me-complete.html https://www.zerodayinitiative.com/advisories/ZDI-20-691 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 97%CPEs: 80EXPL: 1CVE-2020-12116
https://notcve.org/view.php?id=CVE-2020-12116
Zoho ManageEngine OpManager Stable build before 124196 and Released build before 125125 allows an unauthenticated attacker to read arbitrary files on the server by sending a crafted request. Zoho ManageEngine OpManager Stable build anterior a 124196 y Released build anterior a 125125, permite a un atacante no autenticado leer archivos arbitrarios en el servidor mediante el envío de una petición diseñada. • https://github.com/BeetleChunks/CVE-2020-12116 https://www.manageengine.com/network-monitoring/help/read-me-complete.html https://www.manageengine.com/network-monitoring/help/read-me-complete.html#125125 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 30%CPEs: 14EXPL: 0CVE-2020-11946
https://notcve.org/view.php?id=CVE-2020-11946
Zoho ManageEngine OpManager before 125120 allows an unauthenticated user to retrieve an API key via a servlet call. Zoho ManageEngine OpManager versiones anteriores a la versión 125120, permite a un usuario no autenticado recuperar una clave de la API por medio de una llamada del servlet. • https://cwe.mitre.org/data/definitions/306.html https://www.manageengine.com/network-monitoring/help/read-me-complete.html • CWE-306: Missing Authentication for Critical Function •