CVSS: 5.3EPSS: 0%CPEs: 61EXPL: 0CVE-2019-19800
https://notcve.org/view.php?id=CVE-2019-19800
Zoho ManageEngine Applications Manager 14 before 14520 allows a remote unauthenticated attacker to disclose OS file names via FailOverHelperServlet. Zoho ManageEngine Applications Manager 14 versiones anteriores a 14520, permite a un atacante remoto no autenticado revelar nombres de archivos del Sistema Operativo por medio de FailOverHelperServlet. • https://gitlab.com/eLeN3Re/CVE-2019-19800 https://www.manageengine.com https://www.manageengine.com/products/applications_manager/release-notes.html • CWE-306: Missing Authentication for Critical Function •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2019-19475
https://notcve.org/view.php?id=CVE-2019-19475
An issue was discovered in ManageEngine Applications Manager 14 with Build 14360. Integrated PostgreSQL which is built-in in Applications Manager is prone to attack due to lack of file permission security. The malicious users who are in “Authenticated Users” group can exploit privilege escalation and modify PostgreSQL configuration to execute arbitrary command to escalate and gain full system privilege user access and rights over the system. Se descubrió un problema en ManageEngine Applications Manager 14 con Build 14360. El PostgreSQL integrado que está incorporado en el Administrador de aplicaciones es propenso a ataques debido a la falta de seguridad de permisos de archivos. • https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2019-19475.html • CWE-276: Incorrect Default Permissions •
CVSS: 9.8EPSS: 3%CPEs: 1EXPL: 0CVE-2019-19649
https://notcve.org/view.php?id=CVE-2019-19649
Zoho ManageEngine Applications Manager before 13620 allows a remote unauthenticated SQL injection via the SyncEventServlet eventid parameter to the SyncEventServlet.java doGet function. Zoho ManageEngine Applications Manager versiones anteriores a 13620, permite una inyección SQL no autenticada remota por medio del parámetro eventid de SyncEventServlet en la función doGet del archivo SyncEventServlet.java. • https://gitlab.com/eLeN3Re/CVE-2019-19649 https://www.manageengine.com/products/applications_manager/release-notes.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-19650
https://notcve.org/view.php?id=CVE-2019-19650
Zoho ManageEngine Applications Manager before 13640 allows a remote authenticated SQL injection via the Agent servlet agentid parameter to the Agent.java process function. Zoho ManageEngine Applications Manager versiones anteriores a 13640, permite una inyección SQL autenticada remota por medio del parámetro Agentid del agente servlet en la función del proceso Agent.java. • https://gitlab.com/eLeN3Re/CVE-2019-19650 https://www.manageengine.com/products/applications_manager/release-notes.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 2CVE-2019-15104 – ManageEngine OpManager 12.4x - Privilege Escalation / Remote Command Execution
https://notcve.org/view.php?id=CVE-2019-15104
An issue was discovered in Zoho ManageEngine OpManager through 12.4x. There is a SQL Injection vulnerability in jsp/NewThresholdConfiguration.jsp via the resourceid parameter. Therefore, a low-authority user can gain the authority of SYSTEM on the server. One can consequently upload a malicious file using the "Execute Program Action(s)" feature. Se detectó un problema en Zoho ManageEngine OpManager versiones hasta 12.4x. • https://www.exploit-db.com/exploits/47227 http://pentest.com.tr/exploits/DEFCON-ManageEngine-OpManager-v12-4-Privilege-Escalation-Remote-Command-Execution.html https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2019-15104.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •