CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-29658
https://notcve.org/view.php?id=CVE-2020-29658
Zoho ManageEngine Application Control Plus before 100523 has an insecure SSL configuration setting for Nginx, leading to Privilege Escalation. Zoho ManageEngine Application Control Plus versiones anteriores a 100523, presenta una configuración SSL no segura para Nginx, conllevando a una Escalada de Privilegios • https://www.manageengine.com/application-control/knowledge-base/privilege-escalation-vulnerability-open-SSL.html •
CVSS: 6.1EPSS: 0%CPEs: 13EXPL: 1CVE-2021-27214
https://notcve.org/view.php?id=CVE-2021-27214
A Server-side request forgery (SSRF) vulnerability in the ProductConfig servlet in Zoho ManageEngine ADSelfService Plus through 6013 allows a remote unauthenticated attacker to perform blind HTTP requests or perform a Cross-site scripting (XSS) attack against the administrative interface via an HTTP request, a different vulnerability than CVE-2019-3905. Una vulnerabilidad de tipo Server-side request forgery (SSRF) en el servlet ProductConfig en Zoho ManageEngine ADSelfService Plus versiones hasta 6013, permite a un atacante remoto no autenticado realizar peticiones HTTP ciegas o realizar un ataque de tipo Cross-site scripting (XSS) contra la interfaz administrativa por medio de una petición HTTP, una vulnerabilidad diferente a CVE-2019-3905 • https://www.horizonsecurity.it/lang_EN/advisories/?a=20&title=ManageEngine+ADSelfService+Plus+privilege+escalation++CVE202127214 https://www.manageengine.com/products/self-service-password/release-notes.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 8.8EPSS: 0%CPEs: 6EXPL: 1CVE-2020-35765
https://notcve.org/view.php?id=CVE-2020-35765
doFilter in com.adventnet.appmanager.filter.UriCollector in Zoho ManageEngine Applications Manager through 14930 allows an authenticated SQL Injection via the resourceid parameter to showresource.do. doFilter en com.adventnet.appmanager.filter.UriCollector en Zoho ManageEngine Applications Manager versiones hasta 14930, permite una inyección SQL autenticada por medio del parámetro resourceid en showresource.do • https://www.manageengine.com https://www.manageengine.com/products/applications_manager/issues.html#v15000 https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2020-35765.html https://www.tenable.com/security/research/tra-2021-02 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2019-16268
https://notcve.org/view.php?id=CVE-2019-16268
Zoho ManageEngine Remote Access Plus 10.0.259 allows HTML injection via the Description field on the Admin - User Administration userMgmt.do?actionToCall=ShowUser screen. Zoho ManageEngine Remote Access Plus versión 10.0.259, permite una inyección HTML por medio del campo Description en la pantalla Admin - User Administration userMgmt.do?actionToCall=ShowUser • https://www.esecforte.com/responsible-vulnerability-disclosure-cve-2019-16268-html-injection-vulnerability-in-manageengine-remote-access-plus https://www.manageengine.com/remote-desktop-management/knowledge-base/html-injection.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 63%CPEs: 59EXPL: 3CVE-2020-28653 – ManageEngine OpManager SumPDU Java Deserialization
https://notcve.org/view.php?id=CVE-2020-28653
Zoho ManageEngine OpManager Stable build before 125203 (and Released build before 125233) allows Remote Code Execution via the Smart Update Manager (SUM) servlet. Zoho ManageEngine OpManager Stable build anterior a 125203 (y compilación Publicada anterior a 125233) permite una ejecución de código remota por medio del servlet Smart Update Manager (SUM) An HTTP endpoint used by the Manage Engine OpManager Smart Update Manager component can be leveraged to deserialize an arbitrary Java object. This can be abused by an unauthenticated remote attacker to execute OS commands in the context of the OpManager application. This vulnerability is also present in other products that are built on top of the OpManager application. This vulnerability affects OpManager versions 12.1 through 12.5.328. • https://github.com/tuo4n8/CVE-2020-28653 https://github.com/mr-r3bot/ManageEngine-CVE-2020-28653 http://packetstormsecurity.com/files/164231/ManageEngine-OpManager-SumPDU-Java-Deserialization.html https://www.manageengine.com/network-monitoring/help/read-me-complete.html#125203 https://www.manageengine.com/network-monitoring/help/read-me-complete.html#125233 •