CVSS: 9.8EPSS: 2%CPEs: 2EXPL: 1CVE-2018-5339
https://notcve.org/view.php?id=CVE-2018-5339
An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 and 10.0.184: insufficient enforcement of database query type restrictions. Se ha descubierto un problema en Zoho ManageEngine Desktop Central 10.0.124 y 10.0.184 de aplicación insuficiente de restricciones de tipo consulta de base de datos. • https://www.manageengine.com/products/desktop-central/query-restriction-bypass-vulnerability.html https://www.nccgroup.trust/uk/our-research/technical-advisory-multiple-vulnerabilities-in-manageengine-desktop-central • CWE-306: Missing Authentication for Critical Function •
CVSS: 7.2EPSS: 0%CPEs: 2EXPL: 1CVE-2018-5342
https://notcve.org/view.php?id=CVE-2018-5342
An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 and 10.0.184: network services (Desktop Central and PostgreSQL) running with a superuser account. Se ha descubierto un problema en Zoho ManageEngine Desktop Central 10.0.124 y 10.0.184 de ejecución de servicios de red (Desktop Central y PostgreSQL) con una cuenta de superusuario. • https://www.nccgroup.trust/uk/our-research/technical-advisory-multiple-vulnerabilities-in-manageengine-desktop-central • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-8722
https://notcve.org/view.php?id=CVE-2018-8722
Zoho ManageEngine Desktop Central version 9.1.0 build 91099 has multiple XSS issues that were fixed in build 92026. Zoho ManageEngine Desktop Central, en su versión 9.1.0 build 91099, tiene múltiples problemas de Cross-Site Scripting (XSS) que se solucionaron en la build 92026. • https://www.manageengine.com/products/desktop-central/cross-site-scripting-vulnerability.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 2%CPEs: 1EXPL: 0CVE-2017-16924
https://notcve.org/view.php?id=CVE-2017-16924
Remote Information Disclosure and Escalation of Privileges in ManageEngine Desktop Central MSP 10.0.137 allows attackers to download unencrypted XML files containing all data for configuration policies via a predictable /client-data/<client_id>/collections/##/usermgmt.xml URL, as demonstrated by passwords and Wi-Fi keys. This is fixed in build 100157. Una revelación de información remota y un escalado de privilegios en ManageEngine Desktop Central MSP 10.0.137 permiten que atacantes descarguen archivos XML sin cifrar que contienen todos los datos de las políticas de configuración mediante una URL /client-data//collections/##/usermgmt.xml predecible, tal y como demuestran las contraseñas y las claves Wi-Fi. Esto se ha solucionado en la build 100157. • https://github.com/snoonan77/security-research/blob/master/CVE-2017-16924 https://www.manageengine.com/desktop-management-msp/password-encryption-policy-violation.html • CWE-330: Use of Insufficiently Random Values •
CVSS: 9.8EPSS: 15%CPEs: 1EXPL: 1CVE-2017-11346 – ManageEngine Desktop Central 10 Build 100087 - Remote Code Execution
https://notcve.org/view.php?id=CVE-2017-11346
Zoho ManageEngine Desktop Central before build 100092 allows remote attackers to execute arbitrary code via vectors involving the upload of help desk videos. Desktop Central antes del build 100092 de Zoho ManageEngine, permite a los atacantes remotos ejecutar código arbitrario por medio de vectores que involucran la carga de videos de soporte al usuario. • https://www.exploit-db.com/exploits/42358 https://www.manageengine.com/products/desktop-central/remote-code-execution.html • CWE-20: Improper Input Validation •