CVE-2014-8678 – ManageEngine OpUtils ConfigSaveServlet saveFile Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2014-8678
The ConfigSaveServlet servlet in ManageEngine OpUtils before build 71024 allows remote attackers to "disclose" files via a crafted filename, related to "saveFile." El servlet ConfigSaveServlet en ManageEngine OpUtils anterior a build 71024 permite a atacantes remotos 'revelar' ficheros a través de un nombre de fichero manipulado, relacionado con 'saveFile.' This vulnerability allows remote attackers to disclose files on vulnerable installations of ManageEngine OpUtils. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the ConfigSaveServlet servlet. The issue lies in the failure to properly sanitize a filename. • http://www.zerodayinitiative.com/advisories/ZDI-14-386 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2010-1044 – ManageEngine OpUtils 5 - 'Login.DO' SQL Injection
https://notcve.org/view.php?id=CVE-2010-1044
SQL injection vulnerability in Login.do in ManageEngine OpUtils 5.0 allows remote attackers to execute arbitrary SQL commands via the isHttpPort parameter. Vulnerabilidad de inyección SQL en Login.do en ManageEngine OpUtils v5.0, permite a atacantes remotos ejecutar comandos SQL de su elección a través del parámetro isHttpPort. • https://www.exploit-db.com/exploits/11330 http://packetstormsecurity.org/1002-exploits/oputils_5-sql.txt http://www.exploit-db.com/exploits/11330 http://www.securityfocus.com/bid/38082 https://exchange.xforce.ibmcloud.com/vulnerabilities/56102 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2008-2797
https://notcve.org/view.php?id=CVE-2008-2797
Cross-site scripting (XSS) vulnerability in MainLayout.do in ManageEngine OpUtils 5.0 allows remote attackers to inject arbitrary web script or HTML via the hostName parameter, when viewing an SNMP graph. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en MainLayout.do de ManageEngine OpUtils versión 5.0 permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elección a través del parámetro hostName, cuando se visualiza un gráfico SNMP. NOTA: la procedencia de esta información es desconocida; los detalles se han obtenido exclusivamente de información de terceros. • http://secunia.com/advisories/30745 http://www.securityfocus.com/bid/29785 https://exchange.xforce.ibmcloud.com/vulnerabilities/43158 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •