CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2020-15594
https://notcve.org/view.php?id=CVE-2020-15594
An SSRF issue was discovered in Zoho Application Control Plus before version 10.0.511. The mail gateway configuration feature allows an attacker to perform a scan in order to discover open ports on a machine as well as available machines on the network segment on which the instance of the product is deployed. Se detectó un problema de tipo SSRF en Zoho Application Control Plus versiones anteriores a 10.0.511. La funcionalidad mail gateway configuration permite a un atacante llevar a cabo un escaneo para detectar puertos abiertos en una máquina, así como máquinas disponibles en el segmento de red en el que se implementa la instancia del producto • https://excellium-services.com/cert-xlm-advisory/cve-2020-15594 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2020-15595
https://notcve.org/view.php?id=CVE-2020-15595
An issue was discovered in Zoho Application Control Plus before version 10.0.511. The Element Configuration feature (to configure elements included in the scope of elements managed by the product) allows an attacker to retrieve the entire list of the IP ranges and subnets configured in the product and consequently obtain information about the cartography of the internal networks to which the product has access. Se detectó un problema en Zoho Application Control Plus versiones anteriores a 10.0.511. La funcionalidad Element Configuration (para configurar elementos incluidos en el alcance de los elementos gestionados por el producto) permite a un atacante recuperar la lista completa de los rangos de IP y subredes configuradas en el producto y, en consecuencia, obtener información sobre la cartografía de las redes internas a las que el producto presenta acceso • https://excellium-services.com/cert-xlm-advisory/CVE-2020-15595 •
CVSS: 9.8EPSS: 0%CPEs: 89EXPL: 0CVE-2020-15394
https://notcve.org/view.php?id=CVE-2020-15394
The REST API in Zoho ManageEngine Applications Manager before build 14740 allows an unauthenticated SQL Injection via a crafted request, leading to Remote Code Execution. La API REST en Zoho ManageEngine Applications Manager versiones anteriores a build 14740, permite una inyección SQL no autenticada por medio de una petición diseñada, conllevando a una ejecución de código remota • https://www.manageengine.com https://www.manageengine.com/products/applications_manager/issues.html#v14740 https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2020-15394.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 88EXPL: 0CVE-2020-15521
https://notcve.org/view.php?id=CVE-2020-15521
Zoho ManageEngine Applications Manager before 14 build 14730 has no protection against jsp/header.jsp Cross-site Scripting (XSS) . Zoho ManageEngine Applications Manager versiones anteriores a 14 build 14730, no presenta protección contra un Cross-site Scripting (XSS) del archivo jsp/header.jsp • https://www.manageengine.com https://www.manageengine.com/products/applications_manager/issues.html#v14730 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 14%CPEs: 87EXPL: 2CVE-2020-14008 – ManageEngine Applications Manager 14700 - Remote Code Execution (Authenticated)
https://notcve.org/view.php?id=CVE-2020-14008
Zoho ManageEngine Applications Manager 14710 and before allows an authenticated admin user to upload a vulnerable jar in a specific location, which leads to remote code execution. Zoho ManageEngine Applications Manager versiones 14710 y anteriores, permite a un usuario administrador autenticado cargar un jar vulnerable en una ubicación específica, lo que conlleva a una ejecución de código remota • https://www.exploit-db.com/exploits/48793 http://packetstormsecurity.com/files/159066/ManageEngine-Applications-Manager-Authenticated-Remote-Code-Execution.html https://www.manageengine.com https://www.manageengine.com/products/applications_manager/issues.html#14730 • CWE-434: Unrestricted Upload of File with Dangerous Type •