CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-13050
https://notcve.org/view.php?id=CVE-2018-13050
A SQL Injection vulnerability exists in Zoho ManageEngine Applications Manager 13.x before build 13800 via the j_username parameter in a /j_security_check POST request. Existe una vulnerabilidad de inyección SQL en Zoho ManageEngine Applications Manager en versiones 13.x anteriores a la build 13800 mediante el parámetro j_username en una petición POST en /j_security_check. • https://github.com/x-f1v3/ForCve/issues/1 https://www.manageengine.com/products/applications_manager/issues.html https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2018-13050.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 97%CPEs: 1EXPL: 4CVE-2018-7890 – ManageEngine Applications Manager 13.5 - Remote Code Execution
https://notcve.org/view.php?id=CVE-2018-7890
A remote code execution issue was discovered in Zoho ManageEngine Applications Manager before 13.6 (build 13640). The publicly accessible testCredential.do endpoint takes multiple user inputs and validates supplied credentials by accessing a specified system. This endpoint calls several internal classes, and then executes a PowerShell script. If the specified system is OfficeSharePointServer, then the username and password parameters to this script are not validated, leading to Command Injection. Se ha descubierto un problema de ejecución remota de código en Zoho ManageEngine Applications Manager, en versiones anteriores a la 13.6 (build 13640). • https://www.exploit-db.com/exploits/44274 http://www.securityfocus.com/bid/103358 https://github.com/rapid7/metasploit-framework/pull/9684 https://pentest.blog/advisory-manageengine-applications-manager-remote-code-execution-sqli-and https://pitstop.manageengine.com/portal/community/topic/security-vulnerability-issues-fixed-upgrade-to-the-latest-version-of-applications-manager https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2018-7890.html https://raw.githubusercontent.com/ra • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2017-16850
https://notcve.org/view.php?id=CVE-2017-16850
Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /showresource.do resourceid parameter in a getResourceProfiles action. Zoho ManageEngine Applications Manager 13 antes de la build 13530 permite una inyección SQL mediante el parámetro resourceid en /showresource.do en una acción getResourceProfiles. • http://code610.blogspot.com/2017/11/more-sql-injections-in-manageengine.html https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2017-16850.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2017-16846
https://notcve.org/view.php?id=CVE-2017-16846
Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /manageApplications.do?method=AddSubGroup haid parameter. Zoho ManageEngine Applications Manager 13 antes de la build 13530 permite una inyección SQL mediante el parámetro haid en /manageApplications.do?method=AddSubGroup. • http://code610.blogspot.com/2017/11/more-sql-injections-in-manageengine.html https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2017-16846.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2017-16848
https://notcve.org/view.php?id=CVE-2017-16848
Zoho ManageEngine Applications Manager 13 allows SQL injection via the /manageConfMons.do groupname parameter. Zoho ManageEngine Applications Manager 13 permite inyección SQL mediante el parámetro groupname en /manageConfMons.do. • http://code610.blogspot.com/2017/11/more-sql-injections-in-manageengine.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •