CVSS: 4.3EPSS: 0%CPEs: 24EXPL: 0CVE-2019-17112
https://notcve.org/view.php?id=CVE-2019-17112
An issue was discovered in Zoho ManageEngine DataSecurity Plus before 5.0.1 5012. An exposed service allows a basic user ("Operator" access level) to access the configuration file of the mail server (except for the password). Se detectó un problema en Zoho ManageEngine DataSecurity Plus versiones anteriores a 5.0.1 5012. Un servicio expuesto permite que un usuario básico (nivel de acceso "Operator") acceda al archivo de configuración del servidor de correo (excepto para la contraseña). • https://excellium-services.com/cert-xlm-advisory/cve-2019-17112 https://www.manageengine.com/data-security/release-notes.html • CWE-552: Files or Directories Accessible to External Parties •
CVSS: 5.3EPSS: 1%CPEs: 1EXPL: 2CVE-2019-15045 – Zoho Corporation ManageEngine ServiceDesk Plus Information Disclosure
https://notcve.org/view.php?id=CVE-2019-15045
AjaxDomainServlet in Zoho ManageEngine ServiceDesk Plus 10 allows User Enumeration. NOTE: the vendor's position is that this is intended functionality ** EN DISPUTA ** AjaxDomainServlet en Zoho ManageEngine ServiceDesk Plus versión 10 permite la enumeración de usuarios. NOTA: la posición del proveedor es que esta es la funcionalidad prevista. Zoho Corporation ManageEngine ServiceDesk Plus 10 versions prior to 10509 suffer from an information leakage vulnerability. • http://packetstormsecurity.com/files/154183/Zoho-Corporation-ManageEngine-ServiceDesk-Plus-Information-Disclosure.html http://seclists.org/fulldisclosure/2019/Aug/17 https://www.manageengine.com/products/service-desk/readme.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 2CVE-2019-15104 – ManageEngine OpManager 12.4x - Privilege Escalation / Remote Command Execution
https://notcve.org/view.php?id=CVE-2019-15104
An issue was discovered in Zoho ManageEngine OpManager through 12.4x. There is a SQL Injection vulnerability in jsp/NewThresholdConfiguration.jsp via the resourceid parameter. Therefore, a low-authority user can gain the authority of SYSTEM on the server. One can consequently upload a malicious file using the "Execute Program Action(s)" feature. Se detectó un problema en Zoho ManageEngine OpManager versiones hasta 12.4x. • https://www.exploit-db.com/exploits/47227 http://pentest.com.tr/exploits/DEFCON-ManageEngine-OpManager-v12-4-Privilege-Escalation-Remote-Command-Execution.html https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2019-15104.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 2CVE-2019-15105 – ManageEngine Application Manager 14.2 - Privilege Escalation / Remote Command Execution
https://notcve.org/view.php?id=CVE-2019-15105
An issue was discovered in Zoho ManageEngine Application Manager through 14.2. There is a SQL Injection vulnerability in jsp/NewThresholdConfiguration.jsp via the resourceid parameter. Therefore, a low-authority user can gain the authority of SYSTEM on the server. One can consequently upload a malicious file using the "Execute Program Action(s)" feature. Se detectó un problema en Zoho ManageEngine Application Manager versiones hasta 14.2. • https://www.exploit-db.com/exploits/47228 http://pentest.com.tr/exploits/DEFCON-ManageEngine-APM-v14-Privilege-Escalation-Remote-Command-Execution.html https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2019-15105.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 5%CPEs: 1EXPL: 2CVE-2019-15106 – ManageEngine OpManager 12.4x - Unauthenticated Remote Command Execution
https://notcve.org/view.php?id=CVE-2019-15106
An issue was discovered in Zoho ManageEngine OpManager in builds before 14310. One can bypass the user password requirement and execute commands on the server. The "username+'@opm' string is used for the password. For example, if the username is admin, the password is admin@opm. Se ha detectado un problema en Zoho ManageEngine OpManager en compilaciones anteriores a 14310. • https://www.exploit-db.com/exploits/47229 http://pentest.com.tr/exploits/DEFCON-ManageEngine-OpManager-v12-4-Unauthenticated-Remote-Command-Execution.html https://www.manageengine.com/network-monitoring/security-updates/cve-2019-15106.html https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2019-15106.html • CWE-306: Missing Authentication for Critical Function •