CVSS: 6.5EPSS: 0%CPEs: 13EXPL: 1CVE-2020-13154
https://notcve.org/view.php?id=CVE-2020-13154
Zoho ManageEngine Service Plus before 11.1 build 11112 allows low-privilege authenticated users to discover the File Protection password via a getFileProtectionSettings call to AjaxServlet. Zoho ManageEngine Service Plus versiones anteriores a 11.1 build 11112, permite a usuarios autenticados con pocos privilegios detectar la contraseña de File Protection mediante una llamada de getFileProtectionSettings a AjaxServlet. • https://gitlab.com/eLeN3Re/CVE-2020-13154 https://www.manageengine.com/products/service-desk/on-premises/readme.html • CWE-862: Missing Authorization •
CVSS: 6.1EPSS: 2%CPEs: 23EXPL: 1CVE-2019-15083 – ManageEngine Service Desk 10.0 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-15083
Default installations of Zoho ManageEngine ServiceDesk Plus 10.0 before 10500 are vulnerable to XSS injected by a workstation local administrator. Using the installed program names of the computer as a vector, the local administrator can execute code on the Manage Engine ServiceDesk administrator side. At "Asset Home > Server > <workstation> > software" the administrator of ManageEngine can control what software is installed on the workstation. This table shows all the installed program names in the Software column. In this field, a remote attacker can inject malicious code in order to execute it when the ManageEngine administrator visualizes this page. • https://www.exploit-db.com/exploits/48473 http://packetstormsecurity.com/files/157717/ManageEngine-Service-Desk-10.0-Cross-Site-Scripting.html https://www.manageengine.com/products/service-desk/on-premises/readme.html#readme105 https://www.manageengine.com/products/service-desk/readme.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 34%CPEs: 2EXPL: 2CVE-2020-11532 – ManageEngine DataSecurity Plus Xnode Enumeration
https://notcve.org/view.php?id=CVE-2020-11532
Zoho ManageEngine DataSecurity Plus prior to 6.0.1 uses default admin credentials to communicate with a DataEngine Xnode server. This allows an attacker to bypass authentication for this server and execute all operations in the context of admin user. Zoho ManageEngine DataSecurity Plus versiones anteriores a 6.0.1, utiliza credenciales de administrador predeterminadas para comunicarse con un servidor DataEngine Xnode. Esto permite a un atacante omitir la autenticación para este servidor y ejecutar todas las operaciones en el contexto del usuario administrador. ManageEngine DataSecurity Plus versions prior to 6.0.1 and ADAudit Plus versions prior to 6.0.3 suffer from an authentication bypass vulnerability. • http://packetstormsecurity.com/files/157609/ManageEngine-DataSecurity-Plus-Authentication-Bypass.html http://seclists.org/fulldisclosure/2020/May/28 https://pitstop.manageengine.com/portal/community/topic/upgrade-datasecurity-plus-to-the-build-6013-to-fix-security-issues - • CWE-1188: Initialization of a Resource with an Insecure Default •
CVSS: 8.8EPSS: 5%CPEs: 2EXPL: 2CVE-2020-11531 – ManageEngine DataSecurity Plus Path Traversal / Code Execution
https://notcve.org/view.php?id=CVE-2020-11531
The DataEngine Xnode Server application in Zoho ManageEngine DataSecurity Plus prior to 6.0.1 does not validate the database schema name when handling a DR-SCHEMA-SYNC request. This allows an authenticated attacker to execute code in the context of the product by writing a JSP file to the webroot directory via directory traversal. La aplicación DataEngine Xnode Server en Zoho ManageEngine DataSecurity Plus versiones anteriores a 6.0.1, no comprueba el nombre del esquema de la base de datos al manejar una petición DR-SCHEMA-SYNC. Esto permite a un atacante autenticado ejecutar código en el contexto del producto al escribir un archivo JSP en el directorio webroot por medio de un salto de directorio. ManageEngine DataSecurity Plus versions prior to 6.0.1 and ADAudit Plus versions prior to 6.0.3 suffers from a path traversal vulnerability that can lead to remote code execution. • http://packetstormsecurity.com/files/157604/ManageEngine-DataSecurity-Plus-Path-Traversal-Code-Execution.html http://seclists.org/fulldisclosure/2020/May/27 https://pitstop.manageengine.com/portal/community/topic/upgrade-datasecurity-plus-to-the-build-6013-to-fix-security-issues • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 97%CPEs: 80EXPL: 1CVE-2020-12116
https://notcve.org/view.php?id=CVE-2020-12116
Zoho ManageEngine OpManager Stable build before 124196 and Released build before 125125 allows an unauthenticated attacker to read arbitrary files on the server by sending a crafted request. Zoho ManageEngine OpManager Stable build anterior a 124196 y Released build anterior a 125125, permite a un atacante no autenticado leer archivos arbitrarios en el servidor mediante el envío de una petición diseñada. • https://github.com/BeetleChunks/CVE-2020-12116 https://www.manageengine.com/network-monitoring/help/read-me-complete.html https://www.manageengine.com/network-monitoring/help/read-me-complete.html#125125 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •