CVE-2018-11808
https://notcve.org/view.php?id=CVE-2018-11808
Incorrect Access Control in CustomFieldsFeedServlet in Zoho ManageEngine Applications Manager Version 13 before build 13740 allows an attacker to delete any file and read certain files on the server in the context of the user (which by default is "NT AUTHORITY / SYSTEM") by sending a specially crafted request to the server. Control de acceso incorrecto en CustomFieldsFeedServlet en ManageEngine Applications Manager, en las versiones 13 anteriores a la build 13740, permite que un atacante elimine cualquier archivo y leer ciertos archivos en el servidor en el contexto del usuario (que por defecto es "NT AUTHORITY / SYSTEM") mediante el envío de una petición especialmente manipulada al servidor. • http://www.securityfocus.com/bid/104467 https://github.com/kactrosN/publicdisclosures https://www.manageengine.com/products/applications_manager/issues.html https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2018-11808.html • CWE-20: Improper Input Validation •
CVE-2018-7890 – ManageEngine Applications Manager 13.5 - Remote Code Execution
https://notcve.org/view.php?id=CVE-2018-7890
A remote code execution issue was discovered in Zoho ManageEngine Applications Manager before 13.6 (build 13640). The publicly accessible testCredential.do endpoint takes multiple user inputs and validates supplied credentials by accessing a specified system. This endpoint calls several internal classes, and then executes a PowerShell script. If the specified system is OfficeSharePointServer, then the username and password parameters to this script are not validated, leading to Command Injection. Se ha descubierto un problema de ejecución remota de código en Zoho ManageEngine Applications Manager, en versiones anteriores a la 13.6 (build 13640). • https://www.exploit-db.com/exploits/44274 http://www.securityfocus.com/bid/103358 https://github.com/rapid7/metasploit-framework/pull/9684 https://pentest.blog/advisory-manageengine-applications-manager-remote-code-execution-sqli-and https://pitstop.manageengine.com/portal/community/topic/security-vulnerability-issues-fixed-upgrade-to-the-latest-version-of-applications-manager https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2018-7890.html • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVE-2017-16849
https://notcve.org/view.php?id=CVE-2017-16849
Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /MyPage.do?method=viewDashBoard forpage parameter. Zoho ManageEngine Applications Manager 13 antes de la build 13530 permite una inyección SQL mediante el parámetro forpage en /MyPage.do?method=viewDashBoard. • http://code610.blogspot.com/2017/11/more-sql-injections-in-manageengine.html https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2017-16849.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2017-16851
https://notcve.org/view.php?id=CVE-2017-16851
Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /MyPage.do widgetid parameter. Zoho ManageEngine Applications Manager 13 antes de la build 13530 permite una inyección SQL mediante el parámetro widgetid en /MyPage.do. • http://code610.blogspot.com/2017/11/more-sql-injections-in-manageengine.html https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2017-16851.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2017-16847
https://notcve.org/view.php?id=CVE-2017-16847
Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /showresource.do resourceid parameter in a showPlasmaView action. Zoho ManageEngine Applications Manager 13 antes de la build 13530 permite una inyección SQL mediante el parámetro resourceid en /showresource.do en una acción showPlasmaView. • http://code610.blogspot.com/2017/11/more-sql-injections-in-manageengine.html https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2017-16847.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •