CVSS: 7.5EPSS: 7%CPEs: 1EXPL: 4CVE-2018-12999 – Zoho ManageEngine 13 (13790 build) XSS / File Read / File Deletion
https://notcve.org/view.php?id=CVE-2018-12999
Incorrect Access Control in AgentTrayIconServlet in Zoho ManageEngine Desktop Central 10.0.255 allows attackers to delete certain files on the web server without login by sending a specially crafted request to the server with a computerName=../ substring to the /agenttrayicon URI. Un control de acceso incorrecto en AgentTrayIconServlet en Zoho ManageEngine Desktop Central 10.0.255 permite a los atacantes borrar determinados archivos en el servidor web sin tener que iniciar sesión enviando una petición especialmente manipulada al servidor con una subcadena computerName=.../ al URI /agenttrayicon. Zoho ManageEngine version 13 (13790 build) suffers from file read, file deletion, and cross site scripting vulnerabilities. • http://packetstormsecurity.com/files/148635/Zoho-ManageEngine-13-13790-build-XSS-File-Read-File-Deletion.html http://seclists.org/fulldisclosure/2018/Jul/74 http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201807-035 https://github.com/unh3x/just4cve/issues/9 • CWE-20: Improper Input Validation •
CVSS: 9.8EPSS: 2%CPEs: 2EXPL: 1CVE-2018-5339
https://notcve.org/view.php?id=CVE-2018-5339
An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 and 10.0.184: insufficient enforcement of database query type restrictions. Se ha descubierto un problema en Zoho ManageEngine Desktop Central 10.0.124 y 10.0.184 de aplicación insuficiente de restricciones de tipo consulta de base de datos. • https://www.manageengine.com/products/desktop-central/query-restriction-bypass-vulnerability.html https://www.nccgroup.trust/uk/our-research/technical-advisory-multiple-vulnerabilities-in-manageengine-desktop-central • CWE-306: Missing Authentication for Critical Function •
CVSS: 9.8EPSS: 2%CPEs: 2EXPL: 1CVE-2018-5338
https://notcve.org/view.php?id=CVE-2018-5338
An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 and 10.0.184: missing authentication/authorization for a database query mechanism. Se ha descubierto un problema en Zoho ManageEngine Desktop Central 10.0.124 y 10.0.184 de falta de autenticación/autorización para un mecanismo de consulta de base de datos. • https://www.manageengine.com/products/desktop-central/elevation-of-privilege-vulnerability.html https://www.nccgroup.trust/uk/our-research/technical-advisory-multiple-vulnerabilities-in-manageengine-desktop-central • CWE-306: Missing Authentication for Critical Function •
CVSS: 7.2EPSS: 0%CPEs: 2EXPL: 1CVE-2018-5340
https://notcve.org/view.php?id=CVE-2018-5340
An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 and 10.0.184: database access using a superuser account (specifically, an account with permission to write to the filesystem via SQL queries). Se ha descubierto un problema en Zoho ManageEngine Desktop Central 10.0.124 y 10.0.184 de acceso a la base de datos mediante una cuenta de superusuario (concretamente, una cuenta con permisos para escribir en el sistema de archivos mediante consultas SQL). • https://www.manageengine.com/products/desktop-central/query-restriction-bypass-vulnerability.html https://www.nccgroup.trust/uk/our-research/technical-advisory-multiple-vulnerabilities-in-manageengine-desktop-central •
CVSS: 9.8EPSS: 1%CPEs: 2EXPL: 1CVE-2018-5341
https://notcve.org/view.php?id=CVE-2018-5341
An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 and 10.0.184: a missing server-side check on the file type/extension when uploading and modifying scripts. Se ha descubierto un problema en Zoho ManageEngine Desktop Central 10.0.124 y 10.0.184 de falta de comprobación del lado del servidor en la extensión/tipo de archivo al subir y modificar scripts. • https://www.manageengine.com/products/desktop-central/elevation-of-privilege-vulnerability.html https://www.nccgroup.trust/uk/our-research/technical-advisory-multiple-vulnerabilities-in-manageengine-desktop-central • CWE-20: Improper Input Validation •