CVSS: 7.5EPSS: 1%CPEs: 5EXPL: 3CVE-2018-12997 – Zoho ManageEngine 13 (13790 build) XSS / File Read / File Deletion
https://notcve.org/view.php?id=CVE-2018-12997
Incorrect Access Control in FailOverHelperServlet in Zoho ManageEngine Netflow Analyzer before build 123137, Network Configuration Manager before build 123128, OpManager before build 123148, OpUtils before build 123161, and Firewall Analyzer before build 123147 allows attackers to read certain files on the web server without login by sending a specially crafted request to the server with the operation=copyfile&fileName= substring. Control de acceso incorrecto en FailOverHelperServlet en Zoho ManageEngine Netflow Analyzer antes de la build123137, Network Configuration Manager antes de la build 123128, OpManager antes de la build 123148, OpUtils antes de la build 123161 y Firewall Analyzer antes de la build 123147 permite a los atacantes leer determinados archivos en el servidor web sin necesidad de iniciar sesión mediante el envío de una petición especialmente manipulada al servidor con la subcadena operation=copyfilefileName=. Zoho ManageEngine version 13 (13790 build) suffers from file read, file deletion, and cross site scripting vulnerabilities. • http://packetstormsecurity.com/files/148635/Zoho-ManageEngine-13-13790-build-XSS-File-Read-File-Deletion.html http://seclists.org/fulldisclosure/2018/Jul/73 http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201807-037 https://github.com/unh3x/just4cve/issues/8 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 7%CPEs: 1EXPL: 4CVE-2018-12999 – Zoho ManageEngine 13 (13790 build) XSS / File Read / File Deletion
https://notcve.org/view.php?id=CVE-2018-12999
Incorrect Access Control in AgentTrayIconServlet in Zoho ManageEngine Desktop Central 10.0.255 allows attackers to delete certain files on the web server without login by sending a specially crafted request to the server with a computerName=../ substring to the /agenttrayicon URI. Un control de acceso incorrecto en AgentTrayIconServlet en Zoho ManageEngine Desktop Central 10.0.255 permite a los atacantes borrar determinados archivos en el servidor web sin tener que iniciar sesión enviando una petición especialmente manipulada al servidor con una subcadena computerName=.../ al URI /agenttrayicon. Zoho ManageEngine version 13 (13790 build) suffers from file read, file deletion, and cross site scripting vulnerabilities. • http://packetstormsecurity.com/files/148635/Zoho-ManageEngine-13-13790-build-XSS-File-Read-File-Deletion.html http://seclists.org/fulldisclosure/2018/Jul/74 http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201807-035 https://github.com/unh3x/just4cve/issues/9 • CWE-20: Improper Input Validation •
CVSS: 6.1EPSS: 96%CPEs: 5EXPL: 4CVE-2018-12998 – Zoho ManageEngine 13 (13790 build) XSS / File Read / File Deletion
https://notcve.org/view.php?id=CVE-2018-12998
A reflected Cross-site scripting (XSS) vulnerability in Zoho ManageEngine Netflow Analyzer before build 123137, Network Configuration Manager before build 123128, OpManager before build 123148, OpUtils before build 123161, and Firewall Analyzer before build 123147 allows remote attackers to inject arbitrary web script or HTML via the parameter 'operation' to /servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet. Una vulnerabilidad Cross-Site Scripting (XSS) reflejado en Zoho ManageEngine Netflow Analyzer antes de la build 123137, Network Configuration Manager antes de la build 123128, OpManager antes de la build 123148, OpUtils antes de la build 123161, y Firewall Analyzer antes de la build 123147 permite a los atacantes remotos inyectar scripts web o HTML arbitrarios a través del parámetro "operation" en /servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet. Zoho ManageEngine version 13 (13790 build) suffers from file read, file deletion, and cross site scripting vulnerabilities. • http://packetstormsecurity.com/files/148635/Zoho-ManageEngine-13-13790-build-XSS-File-Read-File-Deletion.html http://seclists.org/fulldisclosure/2018/Jul/75 http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201807-036 https://github.com/unh3x/just4cve/issues/10 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 3CVE-2018-12996 – Zoho ManageEngine 13 (13790 build) XSS / File Read / File Deletion
https://notcve.org/view.php?id=CVE-2018-12996
A reflected Cross-site scripting (XSS) vulnerability in Zoho ManageEngine Applications Manager before 13 (Build 13800) allows remote attackers to inject arbitrary web script or HTML via the parameter 'method' to GraphicalView.do. Una vulnerabilidad de Cross-Site Scripting (XSS) reflejado en versiones anteriores a la 13 (Build 13800) de Zoho ManageEngine Applications Manager permite a atacantes remotos inyectar scripts web o HTML arbitrarios mediante el parámetro "method" en GraphicalView.do. Zoho ManageEngine version 13 (13790 build) suffers from file read, file deletion, and cross site scripting vulnerabilities. • http://packetstormsecurity.com/files/148635/Zoho-ManageEngine-13-13790-build-XSS-File-Read-File-Deletion.html http://seclists.org/fulldisclosure/2018/Jul/71 http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201807-038 https://github.com/unh3x/just4cve/issues/7 https://www.manageengine.com/products/applications_manager/issues.html https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2018-12996.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2018-11808
https://notcve.org/view.php?id=CVE-2018-11808
Incorrect Access Control in CustomFieldsFeedServlet in Zoho ManageEngine Applications Manager Version 13 before build 13740 allows an attacker to delete any file and read certain files on the server in the context of the user (which by default is "NT AUTHORITY / SYSTEM") by sending a specially crafted request to the server. Control de acceso incorrecto en CustomFieldsFeedServlet en ManageEngine Applications Manager, en las versiones 13 anteriores a la build 13740, permite que un atacante elimine cualquier archivo y leer ciertos archivos en el servidor en el contexto del usuario (que por defecto es "NT AUTHORITY / SYSTEM") mediante el envío de una petición especialmente manipulada al servidor. • http://www.securityfocus.com/bid/104467 https://github.com/kactrosN/publicdisclosures https://www.manageengine.com/products/applications_manager/issues.html https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2018-11808.html • CWE-20: Improper Input Validation •