CVSS: 7.5EPSS: 0%CPEs: 55EXPL: 0CVE-2020-11527
https://notcve.org/view.php?id=CVE-2020-11527
In Zoho ManageEngine OpManager before 12.4.181, an unauthenticated remote attacker can send a specially crafted URI to read arbitrary files. En Zoho ManageEngine OpManager versiones anteriores a 12.4.181, un atacante remoto no autenticado puede enviar un URI especialmente diseñado para leer archivos arbitrarios. • https://www.manageengine.com/network-monitoring/help/read-me-complete.html#124181 •
CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 0CVE-2020-10541
https://notcve.org/view.php?id=CVE-2020-10541
Zoho ManageEngine OpManager before 12.4.179 allows remote code execution via a specially crafted Mail Server Settings v1 API request. This was fixed in 12.5.108. Zoho ManageEngine OpManager versiones anteriores a 12.4.179, permite una ejecución de código remota por medio de una petición especialmente diseñada de la API Mail Server Settings v1. Esto fue corregido en la versión 12.5.108. • https://www.manageengine.com/network-monitoring/help/read-me-complete.html#125108 •
CVSS: 9.8EPSS: 22%CPEs: 41EXPL: 0CVE-2019-17602
https://notcve.org/view.php?id=CVE-2019-17602
An issue was discovered in Zoho ManageEngine OpManager before 12.4 build 124089. The OPMDeviceDetailsServlet servlet is prone to SQL injection. Depending on the configuration, this vulnerability could be exploited unauthenticated or authenticated. Se detectó un problema en Zoho ManageEngine OpManager versiones anteriores a 12.4 build 124089. El servlet OPMDeviceDetailsServlet es propenso a la inyección SQL. • https://www.manageengine.com/network-monitoring/help/read-me-complete.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 7%CPEs: 1EXPL: 2CVE-2019-15106 – ManageEngine OpManager 12.4x - Unauthenticated Remote Command Execution
https://notcve.org/view.php?id=CVE-2019-15106
An issue was discovered in Zoho ManageEngine OpManager in builds before 14310. One can bypass the user password requirement and execute commands on the server. The "username+'@opm' string is used for the password. For example, if the username is admin, the password is admin@opm. Se ha detectado un problema en Zoho ManageEngine OpManager en compilaciones anteriores a 14310. • https://www.exploit-db.com/exploits/47229 http://pentest.com.tr/exploits/DEFCON-ManageEngine-OpManager-v12-4-Unauthenticated-Remote-Command-Execution.html https://www.manageengine.com/network-monitoring/security-updates/cve-2019-15106.html https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2019-15106.html • CWE-306: Missing Authentication for Critical Function •
CVSS: 6.1EPSS: 0%CPEs: 160EXPL: 0CVE-2018-19921 – Zoho ManageEngine OpManager 12.3 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2018-19921
Zoho ManageEngine OpManager 12.3 before 123237 has XSS in the domain controller. Zoho ManageEngine OpManager 12.3 antes de 123237 tiene Cross-Site Scripting (XSS) en el controlador del dominio. Zoho ManageEngine OpManager version 12.3 prior to build 123237 has a cross site scripting vulnerability in the domainController API. • https://www.manageengine.com/network-monitoring/help/read-me.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •