CVSS: 9.3EPSS: 0%CPEs: 10EXPL: 1CVE-2018-16364
https://notcve.org/view.php?id=CVE-2018-16364
A serialization vulnerability in Zoho ManageEngine Applications Manager before build 13740 allows for remote code execution on Windows via a payload on an SMB share. Una vulnerabilidad de serialización en Zoho ManageEngine Applications Manager antes de la build 13740 permite la ejecución remota de código en Windows mediante una carga útil en una compartición SMB. • https://blog.jamesotten.com/post/applications-manager-rce • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.5EPSS: 40%CPEs: 1EXPL: 1CVE-2018-17283
https://notcve.org/view.php?id=CVE-2018-17283
Zoho ManageEngine OpManager before 12.3 Build 123196 does not require authentication for /oputilsServlet requests, as demonstrated by a /oputilsServlet?action=getAPIKey request that can be leveraged against Firewall Analyzer to add an admin user via /api/json/v2/admin/addUser or conduct a SQL Injection attack via the /api/json/device/setManaged name parameter. Zoho ManageEngine OpManager en versiones anteriores a la 12.3 Build 123196 no requiere autenticación para las peticiones /oputilsServlet, tal y como queda demostrado con una petición /oputilsServlet?action=getAPIKey que puede aprovecharse contra Firewall Analyzer para añadir un usuario administrador mediante /api/json/v2/admin/addUser o llevar a cabo un ataque de inyección SQL mediante el parámetro name en /api/json/device/setManaged. • https://github.com/x-f1v3/ForCve/issues/4 https://www.manageengine.com/network-monitoring/help/read-me.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 0CVE-2018-17243
https://notcve.org/view.php?id=CVE-2018-17243
Global Search in Zoho ManageEngine OpManager before 12.3 123205 allows SQL Injection. Global Search en Zoho ManageEngine OpManager en versiones anteriores a la 12.3 123205 permite la inyección SQL. • https://www.manageengine.com/network-monitoring/help/read-me.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-16965 – ManageEngine SupportCenter Plus 8.1.0 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2018-16965
In Zoho ManageEngine SupportCenter Plus before 8.1 Build 8109, there is HTML Injection and Stored XSS via the /ServiceContractDef.do contractName parameter. En Zoho ManageEngine SupportCenter Plus en versiones anteriores a la 8.1 Build 8109, hay una inyección HTML y Cross-Site Scripting (XSS) persistente mediante el parámetro contractName en /ServiceContractDef.do. ManageEngine SupportCenter Plus version 8.1.0 suffers from cross site scripting and html injection vulnerabilities. • http://packetstormsecurity.com/files/149438/ManageEngine-SupportCenter-Plus-8.1.0-Cross-Site-Scripting.html https://pitstop.manageengine.com/portal/community/topic/supportcenter-plus-version-8-1-build-8109-released • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 6%CPEs: 1EXPL: 0CVE-2018-16833 – ManageEngine Desktop Central 10.0.271 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2018-16833
Zoho ManageEngine Desktop Central 10.0.271 has XSS via the "Features & Articles" search field to the /advsearch.do?SUBREQUEST=XMLHTTP URI. Zoho ManageEngine Desktop Central 10.0.271 tiene Cross-Site Scripting (XSS) mediante el campo de búsqueda "Features Articles" en el URI /advsearch.do?SUBREQUEST=XMLHTTP. ManageEngine Desktop Central version 10.0.271 suffers from a cross site scripting vulnerability. • http://packetstormsecurity.com/files/149436/ManageEngine-Desktop-Central-10.0.271-Cross-Site-Scripting.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •