CVSS: 6.1EPSS: 96%CPEs: 5EXPL: 4CVE-2018-12998 – Zoho ManageEngine 13 (13790 build) XSS / File Read / File Deletion
https://notcve.org/view.php?id=CVE-2018-12998
A reflected Cross-site scripting (XSS) vulnerability in Zoho ManageEngine Netflow Analyzer before build 123137, Network Configuration Manager before build 123128, OpManager before build 123148, OpUtils before build 123161, and Firewall Analyzer before build 123147 allows remote attackers to inject arbitrary web script or HTML via the parameter 'operation' to /servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet. Una vulnerabilidad Cross-Site Scripting (XSS) reflejado en Zoho ManageEngine Netflow Analyzer antes de la build 123137, Network Configuration Manager antes de la build 123128, OpManager antes de la build 123148, OpUtils antes de la build 123161, y Firewall Analyzer antes de la build 123147 permite a los atacantes remotos inyectar scripts web o HTML arbitrarios a través del parámetro "operation" en /servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet. Zoho ManageEngine version 13 (13790 build) suffers from file read, file deletion, and cross site scripting vulnerabilities. • http://packetstormsecurity.com/files/148635/Zoho-ManageEngine-13-13790-build-XSS-File-Read-File-Deletion.html http://seclists.org/fulldisclosure/2018/Jul/75 http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201807-036 https://github.com/unh3x/just4cve/issues/10 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-10803
https://notcve.org/view.php?id=CVE-2018-10803
Cross-site scripting (XSS) vulnerability in the add credentials functionality in Zoho ManageEngine NetFlow Analyzer v12.3 before 12.3.125 (build 123125) allows remote attackers to inject arbitrary web script or HTML via a crafted description value. This can be exploited through CSRF. Cross-Site Scripting (XSS) en la funcionalidad de adición de credenciales en Zoho ManageEngine NetFlow Analyzer en versiones v12.3 anteriores a la 12.3.125 (build 123125) permite que atacantes remotos inyecten scripts web o HTML arbitrarios mediante un valor de descripción manipulado. Esto puede explotarse mediante Cross-Site Request Forgery (CSRF). • http://www.securityfocus.com/bid/104251 https://www.manageengine.com/products/netflow/readme.html#123125 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2015-2961
https://notcve.org/view.php?id=CVE-2015-2961
Cross-site request forgery (CSRF) vulnerability in Zoho NetFlow Analyzer build 10250 and earlier allows remote attackers to hijack the authentication of administrators. Vulnerabilidad de CSRF en Zoho NetFlow Analyzer build 10250 y anteriores permite a atacantes remotos secuestrar la autenticación de administradores. • http://jvn.jp/en/jp/JVN79284156/index.html http://jvndb.jvn.jp/jvndb/JVNDB-2015-000076 http://www.securityfocus.com/bid/75067 http://www.securitytracker.com/id/1032516 https://support.zoho.com/portal/manageengine/helpcenter/articles/vulnerability-fix-for-fails-to-restrict-access-permissions-cross-site-scripting-cross-site-request-forgery-over-build-10250 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2015-4418
https://notcve.org/view.php?id=CVE-2015-4418
Zoho NetFlow Analyzer build 10250 and earlier does not have an off autocomplete attribute for a password field, which makes it easier for remote attackers to obtain access by leveraging an unattended workstation. Zoho NetFlow Analyzer build 10250 y anteriores no tiene un atributo 'apagar el auto completado' (off autocomplete) para un campo de contraseña, lo que facilita a atacantes remotos obtener el acceso mediante el aprovechamiento de una estación de trabajo desatendida. • http://www.securityfocus.com/bid/75068 http://www.securitytracker.com/id/1032516 https://support.zoho.com/portal/manageengine/helpcenter/articles/vulnerability-fix-for-fails-to-restrict-access-permissions-cross-site-scripting-cross-site-request-forgery-over-build-10250 • CWE-284: Improper Access Control •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2015-2960
https://notcve.org/view.php?id=CVE-2015-2960
Cross-site scripting (XSS) vulnerability in Zoho NetFlow Analyzer build 10250 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de XSS en Zoho NetFlow Analyzer build 10250 y anteriores permite a atacantes remotos inyectar secuencias de comandos web arbitrarios o HTML a través de vectores no especificados. • http://jvn.jp/en/jp/JVN98447310/index.html http://jvndb.jvn.jp/jvndb/JVNDB-2015-000074 http://www.securityfocus.com/bid/75071 http://www.securitytracker.com/id/1032516 https://support.zoho.com/portal/manageengine/helpcenter/articles/vulnerability-fix-for-fails-to-restrict-access-permissions-cross-site-scripting-cross-site-request-forgery-over-build-10250 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •