CVSS: 7.2EPSS: 7%CPEs: 1EXPL: 2CVE-2019-19034 – ManageEngine AssetExplorer Authenticated Command Execution
https://notcve.org/view.php?id=CVE-2019-19034
Zoho ManageEngine Asset Explorer 6.5 does not validate the System Center Configuration Manager (SCCM) database username when dynamically generating a command to schedule scans for SCCM. This allows an attacker to execute arbitrary commands on the AssetExplorer Server with NT AUTHORITY/SYSTEM privileges. Zoho ManageEngine Asset Explorer versión 6.5, no comprueba el nombre de usuario de la base de datos de System Center Configuration Manager (SCCM) cuando genera dinámicamente un comando para programar escaneos para SCCM. Esto permite a un atacante ejecutar comandos arbitrarios en el servidor AssetExplorer con privilegios NT AUTHORITY/SYSTEM. ManageEngine AssetExplorer versions prior to 6.5 (6503) suffer from an authenticated remote command execution vulnerability. • http://packetstormsecurity.com/files/157731/ManageEngine-AssetExplorer-Authenticated-Command-Execution.html http://seclists.org/fulldisclosure/2020/May/36 https://www.manageengine.com/products/asset-explorer/sp-readme.html • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 2CVE-2020-8838 – ManageEngine Asset Explorer Windows Agent Remote Code Execution
https://notcve.org/view.php?id=CVE-2020-8838
An issue was discovered in Zoho ManageEngine AssetExplorer 6.5. During an upgrade of the Windows agent, it does not validate the source and binary downloaded. This allows an attacker on an adjacent network to execute code with NT AUTHORITY/SYSTEM privileges on the agent machines by providing an arbitrary executable via a man-in-the-middle attack. Se detectó un problema en Zoho ManageEngine AssetExplorer versión 6.5. Durante una actualización del agente de Windows, no comprueba la fuente y el binario descargado. • http://packetstormsecurity.com/files/157612/ManageEngine-Asset-Explorer-Windows-Agent-Remote-Code-Execution.html http://seclists.org/fulldisclosure/2020/May/29 https://www.manageengine.com/products/asset-explorer/sp-readme.html • CWE-354: Improper Validation of Integrity Check Value •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2019-15510
https://notcve.org/view.php?id=CVE-2019-15510
ManageEngine_DesktopCentral.exe in Zoho ManageEngine Desktop Central 10 allows HTML injection on the user administration page via the description of a role. El archivo ManageEngine_DesktopCentral.exe en Zoho ManageEngine Desktop Central versión 10, permite una inyección de HTML en la página de administración de usuario por medio de la descripción de un rol. • https://www.esecforte.com/responsible-vulnerability-disclosure-cve-2019-15510-manageengine-desktopcentral-v-10-vulnerable-to-html-injection https://www.manageengine.com/products/desktop-central/html-injection.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-11361
https://notcve.org/view.php?id=CVE-2019-11361
Zoho ManageEngine Remote Access Plus 10.0.258 does not validate user permissions properly, allowing for privilege escalation and eventually a full application takeover. Zoho ManageEngine Remote Access Plus versión 10.0.258, no comprueba los permisos del usuario apropiadamente, lo que permite una escalada de privilegios y, eventualmente, una toma de control de la aplicación completa. • https://www.manageengine.com/remote-desktop-management/knowledge-base/elevation-of-privilege.html • CWE-863: Incorrect Authorization •
CVSS: 9.8EPSS: 0%CPEs: 15EXPL: 0CVE-2020-9347
https://notcve.org/view.php?id=CVE-2020-9347
Zoho ManageEngine Password Manager Pro through 10.x has a CSV Excel Macro Injection vulnerability via a crafted name that is mishandled by the Export Passwords feature. NOTE: the vendor disputes the significance of this report because they expect CSV risk mitigation to be provided by an external application, and do not plan to add CSV constraints to their own products ** EN DISPUTA ** Zoho ManageEngine Password Manager Pro hasta la versión de 10.x tiene una vulnerabilidad de inyección de macro en Excel CSV a través de un nombre especialmente diseñado que es mal manejado por la función Exportar contraseñas. NOTA: el proveedor cuestiona la importancia de este informe porque espera que una aplicación externa proporcione la mitigación del riesgo de CSV y no planea agregar restricciones de CSV a sus propios productos. • https://www.infigo.hr/upload/web_struktura/Zoho_ManageEngine_Password_Manager_Pro_10.x_CSV_Excel_Macro_Injection.txt • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •