CVSS: 10.0EPSS: 89%CPEs: 1EXPL: 4CVE-2014-5006 – ManageEngine Desktop Central MSP MDMLogUploaderServlet filename File Upload Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2014-5006
Directory traversal vulnerability in ZOHO ManageEngine Desktop Central (DC) before 9 build 90055 allows remote attackers to execute arbitrary code via a .. (dot dot) in the fileName parameter to mdm/mdmLogUploader. Vulnerabilidad de salto de directorio en ZOHO ManageEngine Desktop Central (DC) anterior a 9 build 90055 permite a atacantes remotos ejecutar código arbitrario a través de un .. (punto punto) en el parámetro fileName en mdm/mdmLogUploader. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of ManageEngine Desktop Central MSP. • https://www.exploit-db.com/exploits/34518 https://www.exploit-db.com/exploits/34594 http://osvdb.org/show/osvdb/110644 http://seclists.org/fulldisclosure/2014/Aug/88 http://www.exploit-db.com/exploits/34594 https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_dc9_file_upload.txt https://www.manageengine.com/products/desktop-central/remote-code-execution.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2014-4930
https://notcve.org/view.php?id=CVE-2014-4930
Multiple cross-site scripting (XSS) vulnerabilities in event/index2.do in ManageEngine EventLog Analyzer before 9.0 build 9002 allow remote attackers to inject arbitrary web script or HTML via the (1) width, (2) height, (3) url, (4) helpP, (5) tab, (6) module, (7) completeData, (8) RBBNAME, (9) TC, (10) rtype, (11) eventCriteria, (12) q, (13) flushCache, or (14) product parameter. Fixed in Build 11072. Múltiples vulnerabilidades de cross-site scripting (XSS) en event / index2.do en ManageEngine EventLog Analyzer anterior a la versión 9.0, compilación 9002, permiten a los atacantes remotos inyectar script web arbitrario o HTML a través del (1) ancho, (2) altura, (3) url (4) helpP, (5) pestaña, (6) módulo, (7) completeData, (8) RBBNAME, (9) TC, (10) rtype, (11) eventCriteria, (12) q, (13) flushCache, o (14) parámetro del producto. Corregido en Build 11072. • http://packetstormsecurity.com/files/128012/ManageEngine-EventLog-Analyzer-7-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2014/Aug/74 http://www.securityfocus.com/bid/69420 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 79EXPL: 5CVE-2014-3997 – ManageEngine Password Manager Pro / ManageEngine IT360 - SQL Injection
https://notcve.org/view.php?id=CVE-2014-3997
SQL injection vulnerability in the MetadataServlet servlet in ManageEngine Password Manager Pro (PMP) and Password Manager Pro Managed Service Providers (MSP) edition 5 through 7 build 7003, IT360 and IT360 Managed Service Providers (MSP) edition before 10.3.3 build 10330, and possibly other ManageEngine products, allows remote attackers or remote authenticated users to execute arbitrary SQL commands via the sv parameter to MetadataServlet.dat. Vulnerabilidad de inyección SQL en el servlet MetadataServlet en la edición ManageEngine Password Manager Pro (PMP) y Password Manager Pro Managed Service Providers (MSP) 5 hasta 7 build 7003, la edición IT360 y IT360 Managed Service Providers (MSP) anterior a 10.3.3 build 10330, y posiblemente otros productos ManageEngine, permite a atacantes remotos o usuarios remotos autenticados ejecutar comandos SQL arbitrarios a través del parámetro sv en MetadataServlet.dat. • https://www.exploit-db.com/exploits/39288 http://seclists.org/fulldisclosure/2014/Aug/55 http://seclists.org/fulldisclosure/2014/Aug/85 https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_dc_pmp_it360_sqli.txt https://raw.githubusercontent.com/pedrib/PoC/master/msf_modules/manageengine_dc_pmp_sqli.rb • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2014-5103
https://notcve.org/view.php?id=CVE-2014-5103
Cross-site scripting (XSS) vulnerability in ZOHO ManageEngine EventLog Analyzer 9 build 9000 allows remote attackers to inject arbitrary web script or HTML via the j_username parameter to event/j_security_check. Fixed in Version 10 Build 10000. La vulnerabilidad de secuencias Cross-site scripting (XSS) en ZOHO ManageEngine EventLog Analyzer 9 build 9000 permite a los atacantes remotos inyectar secuencias de comandos web arbitrarias o HTML a través del parámetro j_username en event / j_security_check. Corregido en la Versión 10 Build 10000. • http://packetstormsecurity.com/files/127568/EventLog-Analyzer-9.0-Build-9000-Cross-Site-Scripting.html http://www.securityfocus.com/archive/1/532856/100/0/threaded http://www.securityfocus.com/bid/68854 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2014-0344
https://notcve.org/view.php?id=CVE-2014-0344
Properties.do in ZOHO ManageEngine OpStor before build 8500 does not properly check privilege levels, which allows remote authenticated users to obtain Admin access by using the name parameter in conjunction with a true value of the edit parameter. Properties.do en ZOHO ManageEngine OpStor anterior a build 8500 no comprueba debidamente niveles de privilegio, lo que permite a usuarios remotos autenticados obtener acceso administrativo mediante el uso del parámetro name en conjunto con un valor verdadero del parámetro edit. • http://www.kb.cert.org/vuls/id/140886 http://www.securityfocus.com/bid/66499 • CWE-264: Permissions, Privileges, and Access Controls •