Page 51 of 458 results (0.009 seconds)

CVSS: 10.0EPSS: 97%CPEs: 1EXPL: 5

CVE-2020-10189 – Zoho ManageEngine Desktop Central File Upload Vulnerability

https://notcve.org/view.php?id=CVE-2020-10189

Zoho ManageEngine Desktop Central before 10.0.474 allows remote code execution because of deserialization of untrusted data in getChartImage in the FileStorage class. This is related to the CewolfServlet and MDMLogUploaderServlet servlets. Zoho ManageEngine Desktop Central anterior a la versión 10.0.474 permite la ejecución remota de código debido a la deserialización de datos no seguros en getChartImage en la clase FileStorage. Esto está relacionado con los servlets CewolfServlet y MDMLogUploaderServlet. Zoho ManageEngine Desktop Central contains a file upload vulnerability that allows for unauthenticated remote code execution. • https://www.exploit-db.com/exploits/48224 https://github.com/zavke/CVE-2020-10189-ManageEngine http://packetstormsecurity.com/files/156730/ManageEngine-Desktop-Central-Java-Deserialization.html https://cwe.mitre.org/data/definitions/502.html https://srcincite.io/advisories/src-2020-0011 https://srcincite.io/pocs/src-2020-0011.py.txt https://www.manageengine.com/products/desktop-central/remote-code-execution-vulnerability.html https://www.zdnet.com/article/zoho-zero-day-published-on-twitter https: • CWE-502: Deserialization of Untrusted Data •

CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0

CVE-2019-20474

https://notcve.org/view.php?id=CVE-2019-20474

An issue was discovered in Zoho ManageEngine Remote Access Plus 10.0.447. The service to test the mail-server configuration suffers from an authorization issue allowing a user with the Guest role (read-only access) to use and abuse it. One of the abuses allows performing network and port scan operations of the localhost or the hosts on the same network segment, aka SSRF. Se detectó un problema en Zoho ManageEngine Remote Access Plus versión 10.0.447. El servicio para probar la configuración del servidor de correo sufre un problema de autorización permitiendo que un usuario con el rol Guest (acceso de solo lectura) lo use y abuse. • https://excellium-services.com/cert-xlm-advisory/cve-2019-20474 https://www.manageengine.com/remote-desktop-management/knowledge-base/authorization-failure.html • CWE-918: Server-Side Request Forgery (SSRF) •

CVSS: 5.3EPSS: 0%CPEs: 61EXPL: 0

CVE-2019-19800

https://notcve.org/view.php?id=CVE-2019-19800

Zoho ManageEngine Applications Manager 14 before 14520 allows a remote unauthenticated attacker to disclose OS file names via FailOverHelperServlet. Zoho ManageEngine Applications Manager 14 versiones anteriores a 14520, permite a un atacante remoto no autenticado revelar nombres de archivos del Sistema Operativo por medio de FailOverHelperServlet. • https://gitlab.com/eLeN3Re/CVE-2019-19800 https://www.manageengine.com https://www.manageengine.com/products/applications_manager/release-notes.html • CWE-306: Missing Authentication for Critical Function •

CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0

CVE-2020-8422

https://notcve.org/view.php?id=CVE-2020-8422

An authorization issue was discovered in the Credential Manager feature in Zoho ManageEngine Remote Access Plus before 10.0.450. A user with the Guest role can extract the collection of all defined credentials of remote machines: the credential name, credential type, user name, domain/workgroup name, and description (but not the password). Se detectó un problema de autorización en la funcionalidad Credential Manager en Zoho ManageEngine Remote Access Plus versiones anteriores a 10.0.450. Un usuario con el rol Invitado puede extraer la colección de todas las credenciales definidas de máquinas remotas: el nombre de credencial, el tipo de credencial, el nombre de usuario, el nombre de dominio y grupo de trabajo y la descripción (pero no la contraseña). • https://excellium-services.com/cert-xlm-advisory/CVE-2020-8422 https://excellium-services.com/cert-xlm-advisory/cve-2020-8422 •

CVSS: 9.8EPSS: 11%CPEs: 1EXPL: 5

CVE-2013-7390 – ManageEngine Desktop Central - Arbitrary File Upload / Remote Code Execution

https://notcve.org/view.php?id=CVE-2013-7390

Unrestricted file upload vulnerability in AgentLogUploadServlet in ManageEngine DesktopCentral 7.x and 8.0.0 before build 80293 allows remote attackers to execute arbitrary code by uploading a file with a jsp extension, then accessing it via a direct request to the file in the webroot. Una vulnerabilidad de carga de archivos sin restricciones en la función AgentLogUploadServlet en ManageEngine DesktopCentral versiones 7.x y 8.0.0 anterior al build 80293, permite a atacantes remotos ejecutar código arbitrario mediante la carga de un archivo con una extensión jsp y luego acceder a él mediante una petición directa al archivo en la root web. • https://www.exploit-db.com/exploits/34518 https://www.exploit-db.com/exploits/29674 https://www.exploit-db.com/exploits/29812 http://seclists.org/fulldisclosure/2013/Nov/130 https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/desktopcentral_file_upload.rb http://security-assessment.com/files/documents/advisory/Desktop%20Central%20Arbitrary%20File%20Upload.pdf https://seclists.org/fulldisclosure/2013/Nov/130 • CWE-434: Unrestricted Upload of File with Dangerous Type •