Page 7 of 51 results (0.006 seconds)

CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 3

Zoho ManageEngine Applications Manager 12 through 14 allows FaultTemplateOptions.jsp resourceid SQL injection. Subsequently, an unauthenticated user can gain the authority of SYSTEM on the server by uploading a malicious file via the "Execute Program Action(s)" feature. Zoho ManageEngine Applications Manager, versiones desde 12 hasta 14, permite la inyección de SQL del resourceid FaultTemplateOptions.jsp. Posteriormente, un usuario no autenticado puede obtener la autoridad de SYSTEM en el servidor cargando un archivo malicioso a través de la función "Ejecutar acción(es) de programa". • https://www.exploit-db.com/exploits/46740 http://packetstormsecurity.com/files/152607/ManageEngine-Applications-Manager-14.0-SQL-Injection-Command-Injection.html https://pentest.com.tr/exploits/ManageEngine-App-Manager-14-Auth-Bypass-Remote-Command-Execution.html https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2019-11469.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 2

An issue was discovered in Zoho ManageEngine Applications Manager 11.0 through 14.0. An unauthenticated user can gain the authority of SYSTEM on the server due to a Popup_SLA.jsp sid SQL injection vulnerability. For example, the attacker can subsequently write arbitrary text to a .vbs file. Se ha descubierto un problema en Zoho ManageEngine Applications Manager 11.0 hasta 14.0. Un usuario no autenticado puede obtener la autoridad de SYSTEM en el servidor debido a una vulnerabilidad SQL injection en Popup_SLA.jsp. • https://www.exploit-db.com/exploits/46725 https://pentest.com.tr/exploits/ManageEngine-App-Manager-14-SQLi-Remote-Code-Execution.html https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2019-11448.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 9.3EPSS: 0%CPEs: 10EXPL: 1

A serialization vulnerability in Zoho ManageEngine Applications Manager before build 13740 allows for remote code execution on Windows via a payload on an SMB share. Una vulnerabilidad de serialización en Zoho ManageEngine Applications Manager antes de la build 13740 permite la ejecución remota de código en Windows mediante una carga útil en una compartición SMB. • https://blog.jamesotten.com/post/applications-manager-rce • CWE-502: Deserialization of Untrusted Data •

CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1

A SQL Injection vulnerability exists in the Zoho ManageEngine Applications Manager 13 before build 13820 via the resids parameter in a /editDisplaynames.do?method=editDisplaynames GET request. Existe una vulnerabilidad de inyección SQL en Zoho ManageEngine Applications Manager 13 antes de la build 13820 mediante el parámetro resids en una petición GET en /editDisplaynames.do?method=editDisplaynames. • https://github.com/x-f1v3/ForCve/issues/2 https://www.manageengine.com/products/applications_manager/issues.html https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2018-15168.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1

A reflected Cross-site scripting (XSS) vulnerability in Zoho ManageEngine Applications Manager 13 before build 13820 allows remote attackers to inject arbitrary web script or HTML via the /deleteMO.do method parameter. Una vulnerabilidad de Cross-Site Scripting (XSS) reflejado en Zoho ManageEngine Applications Manager 13 antes de la build 13820 permite a atacantes remotos inyectar scripts web o HTML arbitrarios mediante el parámetro "method" en /deleteMO.do. • https://github.com/x-f1v3/ForCve/issues/3 https://www.manageengine.com/products/applications_manager/issues.html https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2018-15169.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •