CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 3CVE-2019-11469 – ManageEngine Applications Manager 14.0 - Authentication Bypass / Remote Command Execution
https://notcve.org/view.php?id=CVE-2019-11469
Zoho ManageEngine Applications Manager 12 through 14 allows FaultTemplateOptions.jsp resourceid SQL injection. Subsequently, an unauthenticated user can gain the authority of SYSTEM on the server by uploading a malicious file via the "Execute Program Action(s)" feature. Zoho ManageEngine Applications Manager, versiones desde 12 hasta 14, permite la inyección de SQL del resourceid FaultTemplateOptions.jsp. Posteriormente, un usuario no autenticado puede obtener la autoridad de SYSTEM en el servidor cargando un archivo malicioso a través de la función "Ejecutar acción(es) de programa". • https://www.exploit-db.com/exploits/46740 http://packetstormsecurity.com/files/152607/ManageEngine-Applications-Manager-14.0-SQL-Injection-Command-Injection.html https://pentest.com.tr/exploits/ManageEngine-App-Manager-14-Auth-Bypass-Remote-Command-Execution.html https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2019-11469.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 2CVE-2019-11448 – ManageEngine Applications Manager 11.0 < 14.0 - SQL Injection / Remote Code Execution
https://notcve.org/view.php?id=CVE-2019-11448
An issue was discovered in Zoho ManageEngine Applications Manager 11.0 through 14.0. An unauthenticated user can gain the authority of SYSTEM on the server due to a Popup_SLA.jsp sid SQL injection vulnerability. For example, the attacker can subsequently write arbitrary text to a .vbs file. Se ha descubierto un problema en Zoho ManageEngine Applications Manager 11.0 hasta 14.0. Un usuario no autenticado puede obtener la autoridad de SYSTEM en el servidor debido a una vulnerabilidad SQL injection en Popup_SLA.jsp. • https://www.exploit-db.com/exploits/46725 https://pentest.com.tr/exploits/ManageEngine-App-Manager-14-SQLi-Remote-Code-Execution.html https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2019-11448.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-15168
https://notcve.org/view.php?id=CVE-2018-15168
A SQL Injection vulnerability exists in the Zoho ManageEngine Applications Manager 13 before build 13820 via the resids parameter in a /editDisplaynames.do?method=editDisplaynames GET request. Existe una vulnerabilidad de inyección SQL en Zoho ManageEngine Applications Manager 13 antes de la build 13820 mediante el parámetro resids en una petición GET en /editDisplaynames.do?method=editDisplaynames. • https://github.com/x-f1v3/ForCve/issues/2 https://www.manageengine.com/products/applications_manager/issues.html https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2018-15168.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2018-15169
https://notcve.org/view.php?id=CVE-2018-15169
A reflected Cross-site scripting (XSS) vulnerability in Zoho ManageEngine Applications Manager 13 before build 13820 allows remote attackers to inject arbitrary web script or HTML via the /deleteMO.do method parameter. Una vulnerabilidad de Cross-Site Scripting (XSS) reflejado en Zoho ManageEngine Applications Manager 13 antes de la build 13820 permite a atacantes remotos inyectar scripts web o HTML arbitrarios mediante el parámetro "method" en /deleteMO.do. • https://github.com/x-f1v3/ForCve/issues/3 https://www.manageengine.com/products/applications_manager/issues.html https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2018-15169.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-13050
https://notcve.org/view.php?id=CVE-2018-13050
A SQL Injection vulnerability exists in Zoho ManageEngine Applications Manager 13.x before build 13800 via the j_username parameter in a /j_security_check POST request. Existe una vulnerabilidad de inyección SQL en Zoho ManageEngine Applications Manager en versiones 13.x anteriores a la build 13800 mediante el parámetro j_username en una petición POST en /j_security_check. • https://github.com/x-f1v3/ForCve/issues/1 https://www.manageengine.com/products/applications_manager/issues.html https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2018-13050.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •