CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2011-2756
https://notcve.org/view.php?id=CVE-2011-2756
FileDownload.jsp in ManageEngine ServiceDesk Plus 8.0 before Build 8012 does not require authentication, which allows remote attackers to read files from a specific directory via unspecified vectors. En ManageEngine ServiceDesk Plus v8.0, el directorio FileDownload.jsp ,con anterioridad a Build 8012 no requiere autenticación, lo que permite a atacantes remotos leer archivos de un directorio específico a través de vectores no especificados. • http://www.kb.cert.org/vuls/id/543310 • CWE-287: Improper Authentication •
CVSS: 5.0EPSS: 0%CPEs: 4EXPL: 4CVE-2011-2757 – ManageEngine ServiceDesk 8.0.0.12 - Database Disclosure
https://notcve.org/view.php?id=CVE-2011-2757
Directory traversal vulnerability in FileDownload.jsp in ManageEngine ServiceDesk Plus 8.0.0.12 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the FILENAME parameter. NOTE: this might overlap the US-CERT VU#543310 issue. Vulnerabilidad de salto de directorio en FileDownload.jsp en ManageEngine ServiceDesk Plus v8.0.0.12 y anteriores permite a atacantes remotos leer y ejecutar ficheros a su elección mediante secuencias .. (punto punto) en el parametro file. • https://www.exploit-db.com/exploits/17503 https://www.exploit-db.com/exploits/17437 https://www.exploit-db.com/exploits/17442 http://www.exploit-db.com/exploits/17503 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2010-2049
https://notcve.org/view.php?id=CVE-2010-2049
Cross-site scripting (XSS) vulnerability in jsp/audit/reports/ExportReport.jsp in ManageEngine ADAudit Plus 4.0.0 build 4043 allows remote attackers to inject arbitrary web script or HTML via the reportList parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en jsp/audit/reports/ExportReport.jsp de ManageEngine ADAudit Plus v4.0.0 build 4043 permite a atacantes remotos inyectar código de script web o código HTML de su elección a través del parámetro reportList. NOTA: el origen de esta información es desconocido, los detalles se han obtenido exclusivamente de ifnromación de terceros. • http://osvdb.org/64726 http://secunia.com/advisories/39876 http://www.securityfocus.com/bid/40253 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 4CVE-2010-1044 – ManageEngine OpUtils 5 - 'Login.DO' SQL Injection
https://notcve.org/view.php?id=CVE-2010-1044
SQL injection vulnerability in Login.do in ManageEngine OpUtils 5.0 allows remote attackers to execute arbitrary SQL commands via the isHttpPort parameter. Vulnerabilidad de inyección SQL en Login.do en ManageEngine OpUtils v5.0, permite a atacantes remotos ejecutar comandos SQL de su elección a través del parámetro isHttpPort. • https://www.exploit-db.com/exploits/11330 http://packetstormsecurity.org/1002-exploits/oputils_5-sql.txt http://www.exploit-db.com/exploits/11330 http://www.securityfocus.com/bid/38082 https://exchange.xforce.ibmcloud.com/vulnerabilities/56102 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.3EPSS: 0%CPEs: 12EXPL: 1CVE-2009-4387
https://notcve.org/view.php?id=CVE-2009-4387
The cross-site scripting (XSS) protection mechanism in ShowInContentAreaAction.do in ManageEngine Password Manager Pro (PMP) before 6.1 Build 6104 uses case-sensitive checks for malicious inputs, which allows remote attackers to inject arbitrary web script or HTML via the searchtext parameter and other unspecified inputs. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en ShowInContentAreaAction.do en ManageEngine Password Manager Pro (PMP) en versiónes anteriores a v6.1 Build 6104 utiliza comprobación del uso de mayúsculas/minúsculas para entradas maliciosas, lo que permite a atacantes remotos inyectar secuencias de comandos web o HTML de forma arbitraria a través del parámetro "searchtext" y otras entradas sin especificar. • http://forums.manageengine.com/#Topic/49000003740390 http://secunia.com/advisories/37765 http://www.manageengine.com/products/passwordmanagerpro/release-notes.html http://www.scip.ch/?vuldb.4063 http://www.scip.ch/publikationen/advisories/scip_advisory-4063_manageengine_pmp_script_injection.txt http://www.securityfocus.com/bid/37336 http://www.vupen.com/english/advisories/2009/3540 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •