CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-41140 – Improper Authorization
https://notcve.org/view.php?id=CVE-2024-41140
29 Jan 2025 — Zohocorp ManageEngine Applications Manager versions 174000 and prior are vulnerable to the incorrect authorization in the update user function. Zohocorp ManageEngine Applications Manager versions 174000 and prior are vulnerable to the incorrect authorization in the update user function. • https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2024-41140.html • CWE-863: Incorrect Authorization •
CVSS: 9.8EPSS: 7%CPEs: 2EXPL: 2CVE-2016-9488 – ManageEngine Applications Manager versions 12 and 13 suffer from remote SQL injection vulnerabilities
https://notcve.org/view.php?id=CVE-2016-9488
04 Apr 2017 — ManageEngine Applications Manager versions 12 and 13 before build 13200 suffer from remote SQL injection vulnerabilities. An unauthenticated attacker is able to access the URL /servlet/MenuHandlerServlet, which is vulnerable to SQL injection. The attacker could extract users' password hashes, which are MD5 hashes without salt, and, depending on the database type and its configuration, could also execute operating system commands using SQL queries. ManageEngine Applications Manager en versiones 12 y 13 anter... • https://packetstorm.news/files/id/158554 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2016-9490 – ManageEngine Applications Manager versions 12 and 13 suffer from a Reflected Cross-Site Scripting vulnerability
https://notcve.org/view.php?id=CVE-2016-9490
04 Apr 2017 — ManageEngine Applications Manager versions 12 and 13 before build 13200 suffer from a Reflected Cross-Site Scripting vulnerability. Applications Manager is prone to a Cross-Site Scripting vulnerability in parameter LIMIT, in URL path /DiagAlertAction.do?REQTYPE=AJAX&LIMIT=1233. The URL is also available without authentication. ManageEngine Applications Manager en versiones 12 y 13 antes de la build 13200 sufre de una vulnerabilidad de Cross-Site Scripting (XSS) reflejado. • http://seclists.org/fulldisclosure/2017/Apr/9 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 10EXPL: 1CVE-2012-1062
https://notcve.org/view.php?id=CVE-2012-1062
14 Feb 2012 — Multiple cross-site scripting (XSS) vulnerabilities in ManageEngine Applications Manager 9.x and 10.x allow remote attackers to inject arbitrary web script or HTML via the (1) period parameter to showHistoryData.do; (2) selectedNetwork, (3) network, or (4) group parameters to showresource.do; (5) header parameter to AlarmView.do; or (6) attName parameter to jsp/PopUp_Graph.jsp. NOTE: the Search.do/query vector is already covered by CVE-2008-1566, and the jsp/ThresholdActionConfiguration.jsp redirectto vecto... • http://osvdb.org/78721 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 9EXPL: 1CVE-2012-1063
https://notcve.org/view.php?id=CVE-2012-1063
14 Feb 2012 — Multiple SQL injection vulnerabilities in ManageEngine Applications Manager 9.x and 10.x allow remote attackers to execute arbitrary SQL commands via the (1) viewId parameter to fault/AlarmView.do or (2) period parameter to showHistoryData.do. Múltiples vulnerabilidades de inyección SQL en ManageEngine Applications Manager v9.x y v10.x permite a atacantes remotos ejecutar comandos SQL a través de (1) el parámetro viewId en fault/AlarmView.do o (2) el parámetro period en showHistoryData.do. • http://packetstormsecurity.org/files/view/109238/VL-115.txt • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2008-1566
https://notcve.org/view.php?id=CVE-2008-1566
31 Mar 2008 — Cross-site scripting (XSS) vulnerability in Search.do in ManageEngine Applications Manager 8.x allows remote attackers to inject arbitrary web script or HTML via the query parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en Search.do de ManageEngine Applications Manager 8.x permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elección a través... • http://secunia.com/advisories/29564 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2008-0474 – ManageEngine Application Manager 10 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2008-0474
29 Jan 2008 — Multiple cross-site scripting (XSS) vulnerabilities in ManageEngine Applications Manager 8.1 build 8100 allow remote attackers to inject arbitrary web script or HTML via the (1) showlink parameter to jsp/DiscoveryProfiles.jsp; the (2) attributeIDs, (3) attributeToSelect, (4) redirectto, and (5) resourceid parameters to (a) jsp/ThresholdActionConfiguration.jsp; the (6) page and (7) redirect parameters to (b) jsp/UpdateGlobalSettings.jsp; and the (8) haid and (9) returnpath parameters to (c) showTile.do. NOTE... • https://www.exploit-db.com/exploits/20171 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2008-0475
https://notcve.org/view.php?id=CVE-2008-0475
29 Jan 2008 — ManageEngine Applications Manager 8.1 build 8100 allows remote attackers to obtain sensitive information ( Home->Summary) via an invalid URI, as demonstrated by the "/-" URI. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. ManageEngine Applications Manager 8.1 construcción 8100 permite a atacantes remotos obtener información sensible ( Home->Summary) a través de una URI no válida, como se demostró con la URI "/-". NOTA: la procedencia de est... • http://secunia.com/advisories/28332 • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2008-0476
https://notcve.org/view.php?id=CVE-2008-0476
29 Jan 2008 — ManageEngine Applications Manager 8.1 build 8100 does not check authentication for monitorType.do and unspecified other pages, which allows remote attackers to obtain sensitive information and change settings via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. ManageEngine Applications Manager 8.1 construcción 8100 no valida la autenticación para monitorType.do y otras páginas no especificadas, lo cual permite a atacante... • http://secunia.com/advisories/28332 • CWE-287: Improper Authentication •