CVSS: 7.5EPSS: 1%CPEs: 2EXPL: 1CVE-2018-18980
https://notcve.org/view.php?id=CVE-2018-18980
An XML External Entity injection (XXE) vulnerability exists in Zoho ManageEngine Network Configuration Manager and OpManager before 12.3.214 via the RequestXML parameter in a /devices/ProcessRequest.do GET request. For example, the attacker can trigger the transmission of local files to an arbitrary remote FTP server. Existe una vulnerabilidad XEE (XML External Entity) en Zoho ManageEngine Network Configuration Manager y OpManager en versiones anteriores a la 12.3.214 mediante el parámetro RequestXML en una petición GET en /devices/ProcessRequest.do. Por ejemplo, el atacante puede desencadenar la transmisión de archivos locales a un servidor FTP remoto arbitrario. • https://github.com/x-f1v3/ForCve/issues/5 https://www.manageengine.com/network-monitoring/help/read-me.html • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 9.8EPSS: 4%CPEs: 154EXPL: 0CVE-2018-18949
https://notcve.org/view.php?id=CVE-2018-18949
Zoho ManageEngine OpManager 12.3 before 123222 has SQL Injection via Mail Server settings. KindEditor hasta la versión 4.1.11 tiene una vulnerabilidad de salto de directorio en php/upload_json.php. Cualquiera puede buscar un archivo o directorio en la carpeta kindeditor/attached/ mediante el parámetro path sin autenticación. • https://www.manageengine.com/network-monitoring/help/read-me.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 149EXPL: 0CVE-2018-18715
https://notcve.org/view.php?id=CVE-2018-18715
Zoho ManageEngine OpManager 12.3 before 123219 has stored XSS. Zoho ManageEngine OpManager 12.3 antes de la build 123219 tiene Cross-Site Scripting (XSS) persistente. • http://packetstormsecurity.com/files/150124/Zoho-ManageEngine-OpManager-12.3-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2018/Nov/3 https://seclists.org/bugtraq/2018/Oct/60 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 151EXPL: 0CVE-2018-18716
https://notcve.org/view.php?id=CVE-2018-18716
Zoho ManageEngine OpManager 12.3 before 123219 has a Self XSS Vulnerability. Zoho ManageEngine OpManager 12.3 antes de la build 123219 tiene una vulnerabilidad Self Cross-Site Scripting (XSS). • http://packetstormsecurity.com/files/150124/Zoho-ManageEngine-OpManager-12.3-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2018/Nov/6 https://seclists.org/bugtraq/2018/Oct/61 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 2%CPEs: 143EXPL: 0CVE-2018-18475
https://notcve.org/view.php?id=CVE-2018-18475
Zoho ManageEngine OpManager before 12.3 build 123214 allows Unrestricted Arbitrary File Upload. Zoho ManageEngine OpManager en versiones anteriores a la 12.3 build 123214 permite la subida de archivos arbitrarios sin restricción. • http://packetstormsecurity.com/files/149878/Zoho-ManageEngine-OpManager-12.3-Arbitrary-File-Upload.html http://seclists.org/fulldisclosure/2018/Oct/42 • CWE-434: Unrestricted Upload of File with Dangerous Type •