CVSS: 9.1EPSS: 38%CPEs: 97EXPL: 1CVE-2023-47211
https://notcve.org/view.php?id=CVE-2023-47211
08 Jan 2024 — A directory traversal vulnerability exists in the uploadMib functionality of ManageEngine OpManager 12.7.258. A specially crafted HTTP request can lead to arbitrary file creation. An attacker can send a malicious MiB file to trigger this vulnerability. Existe una vulnerabilidad de directory traversal en la funcionalidad uploadMib de ManageEngine OpManager 12.7.258. Una solicitud HTTP especialmente manipulada puede dar lugar a la creación de archivos arbitrarios. • https://talosintelligence.com/vulnerability_reports/TALOS-2023-1851 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.5EPSS: 0%CPEs: 788EXPL: 1CVE-2023-6105 – ManageEngine Information Disclosure in Multiple Products
https://notcve.org/view.php?id=CVE-2023-6105
15 Nov 2023 — An information disclosure vulnerability exists in multiple ManageEngine products that can result in encryption keys being exposed. A low-privileged OS user with access to the host where an affected ManageEngine product is installed can view and use the exposed key to decrypt product database passwords. This allows the user to access the ManageEngine product database. Existe una vulnerabilidad de divulgación de información en varios productos ManageEngine que puede provocar la exposición de claves de cifrado... • https://www.manageengine.com/security/advisory/CVE/CVE-2023-6105.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.5EPSS: 0%CPEs: 336EXPL: 0CVE-2022-35404
https://notcve.org/view.php?id=CVE-2022-35404
18 Jul 2022 — ManageEngine Password Manager Pro 12100 and prior and OPManager 126100 and prior are vulnerable to unauthorized file and directory creation on a server machine. ManageEngine Password Manager Pro versiones 12100 y anteriores y OPManager versiones 126100 y anteriores son vulnerables a una creación no autorizada de archivos y directorios en un equipo servidor • https://manageengine.com • CWE-20: Improper Input Validation •
CVSS: 9.8EPSS: 74%CPEs: 124EXPL: 0CVE-2021-43319
https://notcve.org/view.php?id=CVE-2021-43319
30 Nov 2021 — Zoho ManageEngine Network Configuration Manager before 125488 is vulnerable to command injection due to improper validation in the Ping functionality. Zoho ManageEngine Network Configuration Manager versiones anteriores a 125488, es vulnerable a una inyección de comandos debido a que la comprobación de la funcionalidad Ping no es apropiada • https://manageengine.com • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 9.8EPSS: 23%CPEs: 69EXPL: 1CVE-2021-41081
https://notcve.org/view.php?id=CVE-2021-41081
11 Nov 2021 — Zoho ManageEngine Network Configuration Manager before 125465 is vulnerable to SQL Injection in a configuration search. Zoho ManageEngine Network Configuration Manager versiones anteriores a 125465, es vulnerable a una inyección de SQL en una búsqueda de configuración • https://github.com/sudaiv/CVE-2021-41081 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 12%CPEs: 69EXPL: 0CVE-2021-41080
https://notcve.org/view.php?id=CVE-2021-41080
11 Nov 2021 — Zoho ManageEngine Network Configuration Manager before 125465 is vulnerable to SQL Injection in a hardware details search. Zoho ManageEngine Network Configuration Manager versiones anteriores a 125465, es vulnerable a una inyección de SQL en una búsqueda de detalles de hardware • https://www.manageengine.com/network-configuration-manager/security-updates/cve-2021-41080.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.8EPSS: 0%CPEs: 18EXPL: 0CVE-2019-12133
https://notcve.org/view.php?id=CVE-2019-12133
18 Jun 2019 — Multiple Zoho ManageEngine products suffer from local privilege escalation due to improper permissions for the %SYSTEMDRIVE%\ManageEngine directory and its sub-folders. Moreover, the services associated with said products try to execute binaries such as sc.exe from the current directory upon system start. This will effectively allow non-privileged users to escalate privileges to NT AUTHORITY\SYSTEM. This affects Desktop Central 10.0.380, EventLog Analyzer 12.0.2, ServiceDesk Plus 10.0.0, SupportCenter Plus ... • https://github.com/active-labs/Advisories/blob/master/2019/ACTIVE-2019-007.md • CWE-427: Uncontrolled Search Path Element CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 7.5EPSS: 44%CPEs: 2EXPL: 1CVE-2018-18980
https://notcve.org/view.php?id=CVE-2018-18980
06 Nov 2018 — An XML External Entity injection (XXE) vulnerability exists in Zoho ManageEngine Network Configuration Manager and OpManager before 12.3.214 via the RequestXML parameter in a /devices/ProcessRequest.do GET request. For example, the attacker can trigger the transmission of local files to an arbitrary remote FTP server. Existe una vulnerabilidad XEE (XML External Entity) en Zoho ManageEngine Network Configuration Manager y OpManager en versiones anteriores a la 12.3.214 mediante el parámetro RequestXML en una... • https://github.com/x-f1v3/ForCve/issues/5 • CWE-611: Improper Restriction of XML External Entity Reference •