CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2017-11559
https://notcve.org/view.php?id=CVE-2017-11559
An issue was discovered in ZOHO ManageEngine OpManager 12.2. The 'apiKey' parameter of "/api/json/admin/getmailserversettings" and "/api/json/dashboard/gotoverviewlist" is vulnerable to a Blind SQL Injection attack. Fue encontrado un problema en ZOHO ManageEngine OpManager 12.2. El parámetro 'apiKey' de "/ api / json / admin / getmailserversettings" y "/ api / json / dashboard / gotoverviewviewlist" es vulnerable a un ataque de Inyección de tipo Blind SQL. • http://manageengine.com http://opmanager.com https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=18736 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2017-11560
https://notcve.org/view.php?id=CVE-2017-11560
An issue was discovered in ZOHO ManageEngine OpManager 12.2. By adding a Google Map to the application, an authenticated user can upload an HTML file. This HTML file is then rendered in various locations of the application. JavaScript inside the uploaded HTML is also interpreted by the application. Thus, an attacker can inject a malicious JavaScript payload inside the HTML file and upload it to the application. • http://manageengine.com http://opmanager.com https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=18736 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2017-11561
https://notcve.org/view.php?id=CVE-2017-11561
An issue was discovered in ZOHO ManageEngine OpManager 12.2. An authenticated user can upload any file they want to share in the "Group Chat" or "Alarm" section. This functionality can be abused by a malicious user by uploading a web shell. Fue encontrado un problema en ZOHO ManageEngine OpManager versión 12.2. Un usuario autenticado puede cargar cualquier archivo que desee compartir en la sección "Group Chat" or "Alarm". • http://manageengine.com http://opmanager.com https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=18736 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 1CVE-2017-11738
https://notcve.org/view.php?id=CVE-2017-11738
In Zoho ManageEngine Application Manager prior to 14.6 Build 14660, the 'haid' parameter of the '/auditLogAction.do' module is vulnerable to a Time-based Blind SQL Injection attack. En Zoho ManageEngine Application Manager anterior a la version 14.6 Build 14660, el parámetro 'haid' del módulo '/auditLogAction.do' es vulnerable a un ataque de inyección SQL tipo time-based-blind • http://application.com http://manageengine.com http://www.securityfocus.com/bid/108470 https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2017-11738.html https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=18734 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2017-11739
https://notcve.org/view.php?id=CVE-2017-11739
In Zoho ManageEngine Application Manager 13.1 Build 13100, an authenticated user, with administrative privileges, has the ability to add a widget on any dashboard. This widget can be a "Utility Widget" with a "Custom HTML or Text" field. Once this widget is created, it will be loaded on the dashboard where it was added. An attacker can abuse this functionality by creating a "Utility Widget" that contains malicious JavaScript code, aka XSS. En Zoho ManageEngine Application Manager 13.1 Build 13100, un usuario autenticado, con privilegios administrativos, tiene la facultad de agregar un widget en cualquier panel. • http://application.com http://manageengine.com http://www.securityfocus.com/bid/108469 https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=18734 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •