CVE-2015-0866 – SupportCenter Plus 7.9 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2015-0866
Multiple cross-site scripting (XSS) vulnerabilities in Zoho ManageEngine SupportCenter Plus 7.9 before hotfix 7941 allow remote attackers to inject arbitrary web script or HTML via the (1) fromCustomer, (2) username, or (3) password parameter to HomePage.do. Múltiples vulnerabilidades de XSS en Zoho ManageEngine SupportCenter Plus 7.9 anterior a hotfix 7941 permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro (1) fromCustomer, (2) username, o (3) password en HomePage.do. SupportCenter Plus version 7.9 suffers from a cross site scripting vulnerability. • http://www.securityfocus.com/archive/1/534564/100/0/threaded http://www.securityfocus.com/bid/72349 https://forums.manageengine.com/topic/security-update-for-supportcenter-plus https://www.htbridge.com/advisory/HTB23247 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2014-100002 – ManageEngine Support Center Plus 7916 - Directory Traversal
https://notcve.org/view.php?id=CVE-2014-100002
Directory traversal vulnerability in ManageEngine SupportCenter Plus 7.9 before 7917 allows remote attackers to read arbitrary files via a ..%2f (dot dot encoded slash) in the attach parameter to WorkOrder.do in the file attachment for a new ticket. Vulnerabilidad de salto de directorio en ManageEngine SupportCenter Plus 7.9 anterior a 7917 permite a atacantes remotos leer ficheros arbitrarios a través de un ..%2f (punto punto barra codificada) en el parámetro attach en WorkOrder.do en el adjunto de fichero para un ticket nuevo. • https://www.exploit-db.com/exploits/31262 http://osvdb.org/show/osvdb/102656 http://www.exploit-db.com/exploits/31262 https://exchange.xforce.ibmcloud.com/vulnerabilities/90806 https://supportcenter.wiki.zoho.com/ReadMe-V2.html - • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •