CVSS: 9.4EPSS: 14%CPEs: 71EXPL: 1CVE-2021-20078
https://notcve.org/view.php?id=CVE-2021-20078
Manage Engine OpManager builds below 125346 are vulnerable to a remote denial of service vulnerability due to a path traversal issue in spark gateway component. This allows a remote attacker to remotely delete any directory or directories on the OS. Las compilaciones de Manage Engine OpManager por debajo de 125346, son vulnerables a una vulnerabilidad de denegación de servicio remota debido a un problema de salto de ruta en el componente spark gateway. Esto permite que un atacante remoto elimine remotamente cualquier directorio o directorios del sistema operativo. • https://www.tenable.com/security/research/tra-2021-10 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-9367
https://notcve.org/view.php?id=CVE-2020-9367
The MPS Agent in Zoho ManageEngine Desktop Central MSP build MSP build 10.0.486 is vulnerable to DLL Hijacking: dcinventory.exe and dcconfig.exe try to load CSUNSAPI.dll without supplying the complete path. The issue is aggravated because this DLL is missing from the installation, thus making it possible to hijack the DLL and subsequently inject code, leading to an escalation of privilege to NT AUTHORITY\SYSTEM. El agente MPS en Zoho ManageEngine Desktop Central MSP build MSP build versión 10.0.486, es vulnerable a un secuestro de DLL: los archivos dcinventory.exe y dcconfig.exe intentan cargar la biblioteca CSUNSAPI.dll sin suministrar la ruta completa. El problema se agrava porque esta DLL falta en la instalación, lo que hace posible secuestrar la DLL y posteriormente inyectar código, conllevando a una escalada de privilegios a NT AUTHORITY\SYSTEM • https://www.manageengine.com/desktop-management-msp/dll-hijacking-vulnerability.html • CWE-427: Uncontrolled Search Path Element •
CVSS: 8.8EPSS: 0%CPEs: 35EXPL: 1CVE-2020-35682
https://notcve.org/view.php?id=CVE-2020-35682
Zoho ManageEngine ServiceDesk Plus before 11134 allows an Authentication Bypass (only during SAML login). Zoho ManageEngine ServiceDesk Plus versiones anteriores a 11134, permite una omisión de autenticación (solo durante el inicio de sesión SAML) • https://github.com/its-arun/CVE-2020-35682 https://www.manageengine.com/products/service-desk/on-premises/readme.html#11134 • CWE-863: Incorrect Authorization •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2020-28050
https://notcve.org/view.php?id=CVE-2020-28050
Zoho ManageEngine Desktop Central before build 10.0.647 allows a single authentication secret from multiple agents to communicate with the server. Zoho ManageEngine Desktop Central anteriores al build 10.0.647, permite a un único secreto de autenticación de múltiples agentes comunicarse con el servidor • https://www.manageengine.com/products/desktop-central/cve-2020-28050.html https://www.manageengine.com/products/desktop-central/fixing-multiple-vulnerabilities.html • CWE-287: Improper Authentication •
CVSS: 6.1EPSS: 0%CPEs: 23EXPL: 0CVE-2020-35594
https://notcve.org/view.php?id=CVE-2020-35594
Zoho ManageEngine ADManager Plus before 7066 allows XSS. Zoho ManageEngine ADManager Plus versiones anteriores a 7066, permite un ataque de tipo XSS • https://www.manageengine.com/products/ad-manager/release-notes.html#7066 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •