CVE-2018-16965 – ManageEngine SupportCenter Plus 8.1.0 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2018-16965
In Zoho ManageEngine SupportCenter Plus before 8.1 Build 8109, there is HTML Injection and Stored XSS via the /ServiceContractDef.do contractName parameter. En Zoho ManageEngine SupportCenter Plus en versiones anteriores a la 8.1 Build 8109, hay una inyección HTML y Cross-Site Scripting (XSS) persistente mediante el parámetro contractName en /ServiceContractDef.do. ManageEngine SupportCenter Plus version 8.1.0 suffers from cross site scripting and html injection vulnerabilities. • http://packetstormsecurity.com/files/149438/ManageEngine-SupportCenter-Plus-8.1.0-Cross-Site-Scripting.html https://pitstop.manageengine.com/portal/community/topic/supportcenter-plus-version-8-1-build-8109-released • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2015-5149 – ManageEngine SupportCenter Plus 7.90 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2015-5149
Directory traversal vulnerability in Zoho ManageEngine SupportCenter Plus 7.90 allows remote authenticated users to write to arbitrary files via a .. (dot dot) in the component parameter in the Request component to workorder/Attachment.jsp. Vulnerabilidad de salto de directorio en Zoho ManageEngine SupportCenter Plus 7.90 permite a usuarios remotos autenticados escribir en ficheros arbitrarios a través de un .. (punto punto) en el parámetro component en el componente Request en workorder/Attachment.jsp. • https://www.exploit-db.com/exploits/37322 http://packetstormsecurity.com/files/132376/ManageEngine-SupportCenter-Plus-7.90-XSS-Traversal-Password-Disclosure.html http://www.securityfocus.com/bid/75512 http://www.vulnerability-lab.com/get_content.php?id=1501 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2015-5150 – ManageEngine SupportCenter Plus 7.90 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2015-5150
Multiple cross-site scripting (XSS) vulnerabilities in Zoho ManageEngine SupportCenter Plus 7.90 allow remote authenticated users to inject arbitrary web script or HTML via the (1) query parameter in the run_query_editor_query module to CustomReportHandler.do, (2) compAcct parameter to jsp/ResetADPwd.jsp, or (3) redirectTo parameter to jsp/CacheScreenWidth.jsp. Múltiples vulnerabilidades de XSS en Zoho ManageEngine SupportCenter Plus 7.90 permiten a usuarios remotos autenticados inyectar secuencias de comandos web arbitrarios o HTML a través (1) del parámetro query en el módulo run_query_editor_query en CustomReportHandler.do, (2) del parámetro compAcct en jsp/ResetADPwd.jsp, o (3) del parámetro redirectTo en jsp/CacheScreenWidth.jsp. • https://www.exploit-db.com/exploits/37322 http://packetstormsecurity.com/files/132376/ManageEngine-SupportCenter-Plus-7.90-XSS-Traversal-Password-Disclosure.html http://www.vulnerability-lab.com/get_content.php?id=1501 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2015-0866 – SupportCenter Plus 7.9 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2015-0866
Multiple cross-site scripting (XSS) vulnerabilities in Zoho ManageEngine SupportCenter Plus 7.9 before hotfix 7941 allow remote attackers to inject arbitrary web script or HTML via the (1) fromCustomer, (2) username, or (3) password parameter to HomePage.do. Múltiples vulnerabilidades de XSS en Zoho ManageEngine SupportCenter Plus 7.9 anterior a hotfix 7941 permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro (1) fromCustomer, (2) username, o (3) password en HomePage.do. SupportCenter Plus version 7.9 suffers from a cross site scripting vulnerability. • http://www.securityfocus.com/archive/1/534564/100/0/threaded http://www.securityfocus.com/bid/72349 https://forums.manageengine.com/topic/security-update-for-supportcenter-plus https://www.htbridge.com/advisory/HTB23247 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2014-100002 – ManageEngine Support Center Plus 7916 - Directory Traversal
https://notcve.org/view.php?id=CVE-2014-100002
Directory traversal vulnerability in ManageEngine SupportCenter Plus 7.9 before 7917 allows remote attackers to read arbitrary files via a ..%2f (dot dot encoded slash) in the attach parameter to WorkOrder.do in the file attachment for a new ticket. Vulnerabilidad de salto de directorio en ManageEngine SupportCenter Plus 7.9 anterior a 7917 permite a atacantes remotos leer ficheros arbitrarios a través de un ..%2f (punto punto barra codificada) en el parámetro attach en WorkOrder.do en el adjunto de fichero para un ticket nuevo. • https://www.exploit-db.com/exploits/31262 http://osvdb.org/show/osvdb/102656 http://www.exploit-db.com/exploits/31262 https://exchange.xforce.ibmcloud.com/vulnerabilities/90806 https://supportcenter.wiki.zoho.com/ReadMe-V2.html - • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •