CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-5799 – ManageEngine Service Desk Plus Cross Site Scripting
https://notcve.org/view.php?id=CVE-2018-5799
In Zoho ManageEngine ServiceDesk Plus before 9403, an XSS issue allows an attacker to run arbitrary JavaScript via a /api/request/?OPERATION_NAME= URI, aka SD-69139. En Zoho ManageEngine ServiceDesk Plus en versiones anteriores a la 9403, un problema Cross-Site Scripting (XSS) permite que un atacante ejecute código JavaScript arbitrario mediante un URI /api/request/?OPERATION_NAME=, también conocido como SD-69139. ManageEngine Service Desk Plus versions prior to 9403 suffer from a cross site scripting vulnerability. • http://seclists.org/fulldisclosure/2018/Mar/58 https://www.manageengine.com/products/service-desk/readme.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-8722
https://notcve.org/view.php?id=CVE-2018-8722
Zoho ManageEngine Desktop Central version 9.1.0 build 91099 has multiple XSS issues that were fixed in build 92026. Zoho ManageEngine Desktop Central, en su versión 9.1.0 build 91099, tiene múltiples problemas de Cross-Site Scripting (XSS) que se solucionaron en la build 92026. • https://www.manageengine.com/products/desktop-central/cross-site-scripting-vulnerability.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2018-8721
https://notcve.org/view.php?id=CVE-2018-8721
Zoho ManageEngine EventLog Analyzer version 11.0 build 11000 has Stored XSS related to the index2.do?url=editAlertForm&tab=alert&alert=profile URI and the Edit Alert Profile screen Zoho ManageEngine EventLog Analyzer, en su versión 11.0 build 11000, tiene Cross-Site Scripting (XSS) persistente relacionado con la URI index2.do?url=editAlertFormtab=alertalert=profile y la pantalla Edit Alert Profile. • http://www.securityfocus.com/bid/103424 https://pitstop.manageengine.com/portal/community/topic/manageengine-eventlog-analyzer-11-0-build-11000-stored-cross-site-scripting-attack • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-7405
https://notcve.org/view.php?id=CVE-2018-7405
Cross-site scripting (XSS) in Zoho ManageEngine EventLog Analyzer before 11.12 Build 11120 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Una vulnerabilidad de Cross-Site Scripting (XSS) en versiones anteriores a la 11.12 Build 11120 de Zoho ManageEngine EventLog Analyzer permite a atacantes remotos inyectar scripts web o HTML arbitrarios utilizando vectores no especificados. • https://pitstop.manageengine.com/portal/community/topic/security-notice https://www.manageengine.com/products/eventlog/release-notes.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 97%CPEs: 1EXPL: 3CVE-2018-7890 – ManageEngine Applications Manager 13.5 - Remote Code Execution
https://notcve.org/view.php?id=CVE-2018-7890
A remote code execution issue was discovered in Zoho ManageEngine Applications Manager before 13.6 (build 13640). The publicly accessible testCredential.do endpoint takes multiple user inputs and validates supplied credentials by accessing a specified system. This endpoint calls several internal classes, and then executes a PowerShell script. If the specified system is OfficeSharePointServer, then the username and password parameters to this script are not validated, leading to Command Injection. Se ha descubierto un problema de ejecución remota de código en Zoho ManageEngine Applications Manager, en versiones anteriores a la 13.6 (build 13640). • https://www.exploit-db.com/exploits/44274 http://www.securityfocus.com/bid/103358 https://github.com/rapid7/metasploit-framework/pull/9684 https://pentest.blog/advisory-manageengine-applications-manager-remote-code-execution-sqli-and https://pitstop.manageengine.com/portal/community/topic/security-vulnerability-issues-fixed-upgrade-to-the-latest-version-of-applications-manager https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2018-7890.html • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •