CVE-2019-12133
https://notcve.org/view.php?id=CVE-2019-12133
Multiple Zoho ManageEngine products suffer from local privilege escalation due to improper permissions for the %SYSTEMDRIVE%\ManageEngine directory and its sub-folders. Moreover, the services associated with said products try to execute binaries such as sc.exe from the current directory upon system start. This will effectively allow non-privileged users to escalate privileges to NT AUTHORITY\SYSTEM. This affects Desktop Central 10.0.380, EventLog Analyzer 12.0.2, ServiceDesk Plus 10.0.0, SupportCenter Plus 8.1, O365 Manager Plus 4.0, Mobile Device Manager Plus 9.0.0, Patch Connect Plus 9.0.0, Vulnerability Manager Plus 9.0.0, Patch Manager Plus 9.0.0, OpManager 12.3, NetFlow Analyzer 11.0, OpUtils 11.0, Network Configuration Manager 11.0, FireWall 12.0, Key Manager Plus 5.6, Password Manager Pro 9.9, Analytics Plus 1.0, and Browser Security Plus. Varios productos Zoho ManageEngine sufren una escalada de privilegios locales debido a permisos inapropiados para el directorio %SYSTEMDRIVE%\ManageEngine y sus subcarpetas. • https://github.com/active-labs/Advisories/blob/master/2019/ACTIVE-2019-007.md https://www.manageengine.com/products/desktop-central/elevation-of-privilege-vulnerability.html • CWE-427: Uncontrolled Search Path Element CWE-732: Incorrect Permission Assignment for Critical Resource •
CVE-2019-12538 – Zoho ManageEngine ServiceDesk Plus 9.3 - 'SiteLookup.do' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-12538
An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SiteLookup.do search field. Se descubrió un problema en Zoho ManageEngine ServiceDesk Plus 9.3. Hay XSS a través del campo de búsqueda SiteLookup.do. • https://www.exploit-db.com/exploits/46963 https://github.com/tarantula-team/CVE-2019-12538 https://www.manageengine.com/products/service-desk/readme.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2019-12541 – Zoho ManageEngine ServiceDesk Plus 9.3 - 'SolutionSearch.do' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-12541
An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SolutionSearch.do searchText parameter. Se descubrió un problema en Zoho ManageEngine ServiceDesk Plus 9.3. Hay XSS a través del parámetro SolutionSearch.do searchText. • https://www.exploit-db.com/exploits/46964 https://github.com/tarantula-team/CVE-2019-12541 https://www.manageengine.com/products/service-desk/readme.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2019-12542 – Zoho ManageEngine ServiceDesk Plus 9.3 - 'SearchN.do' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-12542
An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SearchN.do userConfigID parameter. Se descubrió un problema en Zoho ManageEngine ServiceDesk Plus 9.3. Hay XSS a través del parámetro UserConfigID de SearchN.do. • https://www.exploit-db.com/exploits/46965 https://github.com/tarantula-team/CVE-2019-12542 https://www.manageengine.com/products/service-desk/readme.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2019-12543 – Zoho ManageEngine ServiceDesk Plus 9.3 - 'PurchaseRequest.do' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-12543
An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the PurchaseRequest.do serviceRequestId parameter. Se descubrió un problema en Zoho ManageEngine ServiceDesk Plus 9.3. Hay XSS a través del parámetro PurchaseRequest.do serviceRequestId. • https://www.exploit-db.com/exploits/46966 https://github.com/tarantula-team/CVE-2019-12543 https://www.manageengine.com/products/service-desk/readme.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •