CVE-2010-3273
https://notcve.org/view.php?id=CVE-2010-3273
ZOHO ManageEngine ADSelfService Plus before 4.5 Build 4500 allows remote attackers to reset user passwords, and consequently obtain access to arbitrary user accounts, by providing a user id to accounts/ValidateUser, and then providing a new password to accounts/ResetResult. Zoho ManageEngine ADSelfService Plus anterior a v4.5 Build 4500 permite a atacantes remotos restablecer las contraseñas de usuario, y en consecuencia obtener acceso a cuentas de usuario arbitrarias al proporcionar un identificador de usuario a accounts/ValidateUser, y, a continuación proporcionando una nueva contraseña para accounts/ResetResult. • http://secunia.com/advisories/43241 http://securityreason.com/securityalert/8089 http://www.coresecurity.com/content/zoho-manageengine-vulnerabilities http://www.osvdb.org/70869 http://www.securityfocus.com/archive/1/516396/100/0/threaded http://www.securityfocus.com/bid/46331 http://www.vupen.com/english/advisories/2011/0392 https://exchange.xforce.ibmcloud.com/vulnerabilities/65348 • CWE-20: Improper Input Validation •
CVE-2010-3272 – ManageEngine ADSelfService Plus 4.4 - POST Manipulation Security Question
https://notcve.org/view.php?id=CVE-2010-3272
accounts/ValidateAnswers in the security-questions implementation in ZOHO ManageEngine ADSelfService Plus before 4.5 Build 4500 makes it easier for remote attackers to reset user passwords, and consequently obtain access to arbitrary user accounts, via a modified (1) Hide_Captcha or (2) quesList parameter in a validateAll action. accounts/ValidateAnswers en la implementación de seguridad-preguntas en Zoho ManageEngine ADSelfService Plus anterior a v4.5 Build 4500 facilita a los atacantes remotos restablecer las contraseñas de usuario, y en consecuencia obtener acceso a cuentas de usuario arbitrarias, a través de una modificación de los parámetros (1) Hide_Captcha o (2) quesList en una acción validateAll. • https://www.exploit-db.com/exploits/35330 http://secunia.com/advisories/43241 http://securityreason.com/securityalert/8089 http://www.coresecurity.com/content/zoho-manageengine-vulnerabilities http://www.osvdb.org/70870 http://www.securityfocus.com/archive/1/516396/100/0/threaded http://www.securityfocus.com/bid/46331 http://www.vupen.com/english/advisories/2011/0392 https://exchange.xforce.ibmcloud.com/vulnerabilities/65350 • CWE-20: Improper Input Validation •
CVE-2009-2155
https://notcve.org/view.php?id=CVE-2009-2155
Cross-site scripting (XSS) vulnerability in report/ReportViewAction.do in WebNMS Free Edition 5 allows remote attackers to inject arbitrary web script or HTML via the type parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en report/ReportViewAction.do en WebNMS Free Edition v5 permite a atacantes remotos inyectar secuencias de comandos web o HTML mediante el parámetro "type". NOTA: la procedencia de esta información es desconocida; los detalles se han obtenido exclusivamente de información de terceros. • http://osvdb.org/55188 http://secunia.com/advisories/35495 https://exchange.xforce.ibmcloud.com/vulnerabilities/51250 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •