CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2015-2961
https://notcve.org/view.php?id=CVE-2015-2961
Cross-site request forgery (CSRF) vulnerability in Zoho NetFlow Analyzer build 10250 and earlier allows remote attackers to hijack the authentication of administrators. Vulnerabilidad de CSRF en Zoho NetFlow Analyzer build 10250 y anteriores permite a atacantes remotos secuestrar la autenticación de administradores. • http://jvn.jp/en/jp/JVN79284156/index.html http://jvndb.jvn.jp/jvndb/JVNDB-2015-000076 http://www.securityfocus.com/bid/75067 http://www.securitytracker.com/id/1032516 https://support.zoho.com/portal/manageengine/helpcenter/articles/vulnerability-fix-for-fails-to-restrict-access-permissions-cross-site-scripting-cross-site-request-forgery-over-build-10250 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2015-4418
https://notcve.org/view.php?id=CVE-2015-4418
Zoho NetFlow Analyzer build 10250 and earlier does not have an off autocomplete attribute for a password field, which makes it easier for remote attackers to obtain access by leveraging an unattended workstation. Zoho NetFlow Analyzer build 10250 y anteriores no tiene un atributo 'apagar el auto completado' (off autocomplete) para un campo de contraseña, lo que facilita a atacantes remotos obtener el acceso mediante el aprovechamiento de una estación de trabajo desatendida. • http://www.securityfocus.com/bid/75068 http://www.securitytracker.com/id/1032516 https://support.zoho.com/portal/manageengine/helpcenter/articles/vulnerability-fix-for-fails-to-restrict-access-permissions-cross-site-scripting-cross-site-request-forgery-over-build-10250 • CWE-284: Improper Access Control •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2015-2960
https://notcve.org/view.php?id=CVE-2015-2960
Cross-site scripting (XSS) vulnerability in Zoho NetFlow Analyzer build 10250 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de XSS en Zoho NetFlow Analyzer build 10250 y anteriores permite a atacantes remotos inyectar secuencias de comandos web arbitrarios o HTML a través de vectores no especificados. • http://jvn.jp/en/jp/JVN98447310/index.html http://jvndb.jvn.jp/jvndb/JVNDB-2015-000074 http://www.securityfocus.com/bid/75071 http://www.securitytracker.com/id/1032516 https://support.zoho.com/portal/manageengine/helpcenter/articles/vulnerability-fix-for-fails-to-restrict-access-permissions-cross-site-scripting-cross-site-request-forgery-over-build-10250 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 1%CPEs: 1EXPL: 0CVE-2015-2959
https://notcve.org/view.php?id=CVE-2015-2959
Zoho NetFlow Analyzer build 10250 and earlier does not check for administrative authorization, which allows remote attackers to obtain sensitive information, modify passwords, or remove accounts by leveraging the guest role. Zoho NetFlow Analyzer build 10250 y anteriores no comprueba para la autorización administrativa, lo que permite a atacantes remotos obtener información sensible, modificar contraseñas o eliminar cuentas mediante el aprovechamiento del role de invitado. • http://jvn.jp/en/jp/JVN25598413/index.html http://jvndb.jvn.jp/jvndb/JVNDB-2015-000075 http://www.securityfocus.com/bid/75065 http://www.securitytracker.com/id/1032516 https://support.zoho.com/portal/manageengine/helpcenter/articles/vulnerability-fix-for-fails-to-restrict-access-permissions-cross-site-scripting-cross-site-request-forgery-over-build-10250 • CWE-284: Improper Access Control •
CVSS: 7.8EPSS: 97%CPEs: 3EXPL: 4CVE-2014-7863 – ManageEngine Applications Manager FailOverHelperServlet Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2014-7863
The FailOverHelperServlet (aka FailServlet) servlet in ZOHO ManageEngine Applications Manager before 11.9 build 11912, OpManager 8 through 11.5 build 11400, and IT360 10.5 and earlier does not properly restrict access, which allows remote attackers and remote authenticated users to (1) read arbitrary files via the fileName parameter in a copyfile operation or (2) obtain sensitive information via a directory listing in a listdirectory operation to servlet/FailOverHelperServlet. El servlet FailOverHelperServlet (también se conoce como FailServlet) en ZOHO ManageEngine Applications Manager versiones anteriores a 11.9 build 11912, OpManager versiones 8 hasta 11.5 build 11400 e IT360 versiones 10.5 y anteriores, no restringe el acceso apropiadamente, lo que permite a atacantes remotos y a usuarios autenticados remotos (1) leer archivos arbitrarios por medio del parámetro fileName en una operación copyfile u (2) obtener información confidencial por medio de un listado de directorio en una operación listdirectory en servlet/FailOverHelperServlet. This vulnerability allows remote attackers to disclose files on vulnerable installations of ManageEngine Applications Manager. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the FailOverHelperServlet servlet. The issue lies in the failure to properly sanitize a filename. • https://www.exploit-db.com/exploits/43894 http://packetstormsecurity.com/files/130162/ManageEngine-File-Download-Content-Disclosure-SQL-Injection.html http://seclists.org/fulldisclosure/2015/Jan/114 http://www.securityfocus.com/archive/1/archive/1/534575/100/0/threaded https://exchange.xforce.ibmcloud.com/vulnerabilities/100554 https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_failservlet.txt https://support.zoho.com/portal/manageengine/helpcenter/articles/vulnerabilities-in-failoverhelperservlet https: • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •