Page 86 of 458 results (0.021 seconds)

CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 2

CVE-2015-0866 – SupportCenter Plus 7.9 Cross Site Scripting

https://notcve.org/view.php?id=CVE-2015-0866

Multiple cross-site scripting (XSS) vulnerabilities in Zoho ManageEngine SupportCenter Plus 7.9 before hotfix 7941 allow remote attackers to inject arbitrary web script or HTML via the (1) fromCustomer, (2) username, or (3) password parameter to HomePage.do. Múltiples vulnerabilidades de XSS en Zoho ManageEngine SupportCenter Plus 7.9 anterior a hotfix 7941 permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro (1) fromCustomer, (2) username, o (3) password en HomePage.do. SupportCenter Plus version 7.9 suffers from a cross site scripting vulnerability. • http://www.securityfocus.com/archive/1/534564/100/0/threaded http://www.securityfocus.com/bid/72349 https://forums.manageengine.com/topic/security-update-for-supportcenter-plus https://www.htbridge.com/advisory/HTB23247 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 5.0EPSS: 62%CPEs: 1EXPL: 2

CVE-2014-100002 – ManageEngine Support Center Plus 7916 - Directory Traversal

https://notcve.org/view.php?id=CVE-2014-100002

Directory traversal vulnerability in ManageEngine SupportCenter Plus 7.9 before 7917 allows remote attackers to read arbitrary files via a ..%2f (dot dot encoded slash) in the attach parameter to WorkOrder.do in the file attachment for a new ticket. Vulnerabilidad de salto de directorio en ManageEngine SupportCenter Plus 7.9 anterior a 7917 permite a atacantes remotos leer ficheros arbitrarios a través de un ..%2f (punto punto barra codificada) en el parámetro attach en WorkOrder.do en el adjunto de fichero para un ticket nuevo. • https://www.exploit-db.com/exploits/31262 http://osvdb.org/show/osvdb/102656 http://www.exploit-db.com/exploits/31262 https://exchange.xforce.ibmcloud.com/vulnerabilities/90806 https://supportcenter.wiki.zoho.com/ReadMe-V2.html - • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1

CVE-2014-3779 – ADSelfservice Plus 5.1 Cross Site Scripting

https://notcve.org/view.php?id=CVE-2014-3779

Cross-site scripting (XSS) vulnerability in ZOHO ManageEngine ADSelfService Plus before 5.2 Build 5202 allows remote attackers to inject arbitrary web script or HTML via the name parameter to GroupSubscription.do. Vulnerabilidad de XSS en ZOHO ManageEngine ADSelfService Plus anterior a 5.2 Build 5202 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro name en GroupSubscription.do. AdSelfservice Plus version 5.1 suffers from a cross site scripting vulnerability. • http://packetstormsecurity.com/files/129803/ADSelfservice-Plus-5.1-Cross-Site-Scripting.html https://exchange.xforce.ibmcloud.com/vulnerabilities/99612 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 9.8EPSS: 95%CPEs: 2EXPL: 2

CVE-2014-7862 – ManageEngine Desktop Central - Create Administrator

https://notcve.org/view.php?id=CVE-2014-7862

The DCPluginServelet servlet in ManageEngine Desktop Central and Desktop Central MSP before build 90109 allows remote attackers to create administrator accounts via an addPlugInUser action. El servlet DCPluginServelet en ManageEngine Desktop Central y Desktop Central MSP en versiones anteriores a la build 90109 permite a los atacantes remotos crear cuentas de administrador mediante una acción addPlugInUser. Desktop Central versions 7 and forward suffer from an add administrator vulnerability. • https://www.exploit-db.com/exploits/43892 http://packetstormsecurity.com/files/129769/Desktop-Central-Add-Administrator.html http://seclists.org/fulldisclosure/2015/Jan/2 http://www.securityfocus.com/archive/1/534356/100/0/threaded http://www.securityfocus.com/bid/71849 https://exchange.xforce.ibmcloud.com/vulnerabilities/99595 https://github.com/pedrib/PoC/blob/master/advisories/ManageEngine/me_dc9_admin.txt https://www.manageengine.com/products/desktop-central/cve20147862-unauthorized-account-creation • CWE-264: Permissions, Privileges, and Access Controls •

CVSS: 10.0EPSS: 34%CPEs: 1EXPL: 0

CVE-2014-9371 – ManageEngine Desktop Central MSP NativeAppServlet UDID JSON Object Code Injection Remote Code Execution Vulnerability

https://notcve.org/view.php?id=CVE-2014-9371

The NativeAppServlet in ManageEngine Desktop Central MSP before 90075 allows remote attackers to execute arbitrary code via a crafted JSON object. NativeAppServlet en ManageEngine Desktop Central MSP anterior a 90075 permite a atacantes remotos ejecutar código arbitrario a través de un objeto JSON manipulado. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of ManageEngine Desktop Central MSP. Authentication is not required to exploit this vulnerability. The specific flaw exists within the NativeAppServlet servlet. The issue lies in the failure to sanitize JSON data before processing it. • http://www.zerodayinitiative.com/advisories/ZDI-14-420 • CWE-20: Improper Input Validation •