Page 5 of 44 results (0.011 seconds)

CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 1

In Zoho ManageEngine Application Manager prior to 14.6 Build 14660, the 'haid' parameter of the '/auditLogAction.do' module is vulnerable to a Time-based Blind SQL Injection attack. En Zoho ManageEngine Application Manager anterior a la version 14.6 Build 14660, el parámetro 'haid' del módulo '/auditLogAction.do' es vulnerable a un ataque de inyección SQL tipo time-based-blind • http://application.com http://manageengine.com http://www.securityfocus.com/bid/108470 https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2017-11738.html https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=18734 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1

In Zoho ManageEngine Application Manager 13.1 Build 13100, an authenticated user, with administrative privileges, has the ability to add a widget on any dashboard. This widget can be a "Utility Widget" with a "Custom HTML or Text" field. Once this widget is created, it will be loaded on the dashboard where it was added. An attacker can abuse this functionality by creating a "Utility Widget" that contains malicious JavaScript code, aka XSS. En Zoho ManageEngine Application Manager 13.1 Build 13100, un usuario autenticado, con privilegios administrativos, tiene la facultad de agregar un widget en cualquier panel. • http://application.com http://manageengine.com http://www.securityfocus.com/bid/108469 https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=18734 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 8.8EPSS: 1%CPEs: 1EXPL: 1

In Zoho ManageEngine Application Manager 13.1 Build 13100, the administrative user has the ability to upload files/binaries that can be executed upon the occurrence of an alarm. An attacker can abuse this functionality by uploading a malicious script that can be executed on the remote system. En Zoho ManageEngine Application Manager 13.1 Build 13100, el usuario administrativo tiene la capacidad para cargar archivos binarios que pueden ejecutarse cuando ocurre una alarma. Un atacante puede abusar de esta funcionalidad cargando un script malicioso que puede ser ejecutado en el sistema remoto. • http://application.com http://manageengine.com https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=18734 • CWE-20: Improper Input Validation •

CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 3

Zoho ManageEngine Applications Manager 12 through 14 allows FaultTemplateOptions.jsp resourceid SQL injection. Subsequently, an unauthenticated user can gain the authority of SYSTEM on the server by uploading a malicious file via the "Execute Program Action(s)" feature. Zoho ManageEngine Applications Manager, versiones desde 12 hasta 14, permite la inyección de SQL del resourceid FaultTemplateOptions.jsp. Posteriormente, un usuario no autenticado puede obtener la autoridad de SYSTEM en el servidor cargando un archivo malicioso a través de la función "Ejecutar acción(es) de programa". • https://www.exploit-db.com/exploits/46740 http://packetstormsecurity.com/files/152607/ManageEngine-Applications-Manager-14.0-SQL-Injection-Command-Injection.html https://pentest.com.tr/exploits/ManageEngine-App-Manager-14-Auth-Bypass-Remote-Command-Execution.html https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2019-11469.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 2

An issue was discovered in Zoho ManageEngine Applications Manager 11.0 through 14.0. An unauthenticated user can gain the authority of SYSTEM on the server due to a Popup_SLA.jsp sid SQL injection vulnerability. For example, the attacker can subsequently write arbitrary text to a .vbs file. Se ha descubierto un problema en Zoho ManageEngine Applications Manager 11.0 hasta 14.0. Un usuario no autenticado puede obtener la autoridad de SYSTEM en el servidor debido a una vulnerabilidad SQL injection en Popup_SLA.jsp. • https://www.exploit-db.com/exploits/46725 https://pentest.com.tr/exploits/ManageEngine-App-Manager-14-SQLi-Remote-Code-Execution.html https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2019-11448.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •