Page 8 of 39 results (0.003 seconds)

CVSS: 6.5EPSS: 96%CPEs: 1EXPL: 1

Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10012 allows remote attackers to upload arbitrary files via login page customization. Zoho ManageEngine ServiceDesk Plus (SDP), en versiones anteriores a la 10.0 build 10012, permite que los atacantes remotos suban archivos arbitrarios mediante la personalización de la página de inicio. Zoho ManageEngine ServiceDesk Plus (SDP) versions prior to 10.0 build 10012 suffer from an arbitrary file upload vulnerability. Zoho ManageEngine ServiceDesk Plus (SDP) contains an unspecified vulnerability that allows remote users to upload files via login page customization. • https://www.exploit-db.com/exploits/46413 http://www.securityfocus.com/bid/107129 https://www.manageengine.com/products/service-desk/readme.html • CWE-434: Unrestricted Upload of File with Dangerous Type •

CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 0

An Insecure Direct Object Reference (IDOR) vulnerability exists in Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10007 via an attachment to a request. Existe una vulnerabilidad IDOR (Insecure Direct Object Reference) en Zoho ManageEngine ServiceDesk Plus (SDP) en versiones anteriores a la 10.0 build 10007 mediante un adjunto en una petición. • https://www.manageengine.com/products/service-desk/readme.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-706: Use of Incorrectly-Resolved Name or Reference •

CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1

An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3 Build 9317. Unauthenticated users are able to validate domain user accounts by sending a request containing the username to an API endpoint. The endpoint will return the user's logon domain if the accounts exists, or 'null' if it does not. Se ha descubierto un problema en Zoho ManageEngine ServiceDesk Plus 9.3 Build 9317. Los usuarios no autenticados pueden validar cuentas de usuario de dominio mediante el envío de una petición que contiene el nombre de usuario de un endpoint de la API. • http://www.securityfocus.com/bid/104287 https://gitlab.com/e-sterling/cve-2018-7248 https://medium.com/%40esterling_/cve-2018-7248-enumerating-active-directory-users-via-unauthenticated-manageengine-servicedesk-a1eda2942eb0 •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0

In Zoho ManageEngine ServiceDesk Plus before 9403, an XSS issue allows an attacker to run arbitrary JavaScript via a /api/request/?OPERATION_NAME= URI, aka SD-69139. En Zoho ManageEngine ServiceDesk Plus en versiones anteriores a la 9403, un problema Cross-Site Scripting (XSS) permite que un atacante ejecute código JavaScript arbitrario mediante un URI /api/request/?OPERATION_NAME=, también conocido como SD-69139. ManageEngine Service Desk Plus versions prior to 9403 suffer from a cross site scripting vulnerability. • http://seclists.org/fulldisclosure/2018/Mar/58 https://www.manageengine.com/products/service-desk/readme.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •