12 results (0.004 seconds)

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0

ZOHO ManageEngine ServiceDesk Plus before 9.0 allows remote authenticated guest users to have unspecified impact by leveraging failure to restrict access to unknown functions. ZOHO ManageEngine ServiceDesk Plus en versiones anteriores a 9.0 permite que los usuarios invitados autenticados remotos tengan un impacto no especificado al aprovechar el fallo para restringir el acceso a funciones desconocidas. • http://jvn.jp/en/jp/JVN89726415/index.html http://jvndb.jvn.jp/en/contents/2016/JVNDB-2016-000170.html http://www.securityfocus.com/bid/93215 https://www.manageengine.com/products/service-desk/readme-9.0.html • CWE-264: Permissions, Privileges, and Access Controls •

CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0

Cross-site scripting (XSS) vulnerability in ZOHO ManageEngine ServiceDesk Plus before 9.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad XSS en ZOHO ManageEngine ServiceDesk Plus en versiones anteriores a 9.2 permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de vectores no especificados. • http://jvn.jp/en/jp/JVN50347324/index.html http://jvndb.jvn.jp/en/contents/2016/JVNDB-2016-000169.html http://www.securityfocus.com/bid/93214 https://www.manageengine.com/products/service-desk/readme-9.2.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0

ZOHO ManageEngine ServiceDesk Plus before 9.2 uses an insecure method for generating cookies, which makes it easier for attackers to obtain sensitive password information by leveraging access to a cookie. ZOHO ManageEngine ServiceDesk Plus en versiones anteriores a 9.2 utiliza un método inseguro para generar cookies, lo que facilita a los atacantes la obtención de información confidencial de contraseñas aprovechando el acceso a una cookie. • http://jvn.jp/en/jp/JVN72559412/index.html http://jvndb.jvn.jp/en/contents/2016/JVNDB-2016-000171.html http://www.securityfocus.com/bid/93216 https://www.manageengine.com/products/service-desk/readme-9.2.html • CWE-254: 7PK - Security Features •

CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 5

SQL injection vulnerability in reports/CreateReportTable.jsp in ZOHO ManageEngine ServiceDesk Plus (SDP) before 9.0 build 9031 allows remote authenticated users to execute arbitrary SQL commands via the site parameter. Vulnerabilidad de inyección SQL en reports/CreateReportTable.jsp en ZOHO ManageEngine ServiceDesk Plus (SDP) anterior a 9.0 build 9031 permite a usuarios remotos autenticados ejecutar comandos SQL arbitrarios a través del parámetro site. • https://www.exploit-db.com/exploits/35890 http://packetstormsecurity.com/files/130079/ManageEngine-ServiceDesk-9.0-SQL-Injection.html http://www.exploit-db.com/exploits/35890 http://www.manageengine.com/products/service-desk/readme-9.0.html http://www.rewterz.com/vulnerabilities/manageengine-servicedesk-sql-injection-vulnerability http://www.securityfocus.com/bid/72299 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 4.0EPSS: 75%CPEs: 1EXPL: 4

ZOHO ManageEngine ServiceDesk Plus (SDP) before 9.0 build 9031 allows remote authenticated users to obtain sensitive ticket information via a (1) getTicketData action to servlet/AJaxServlet or a direct request to (2) swf/flashreport.swf, (3) reports/flash/details.jsp, or (4) reports/CreateReportTable.jsp. ZOHO ManageEngine ServiceDesk Plus (SDP) anterior a 9.0 build 9031 permite a usuarios remotos autenticados obtener información sensible sobre tickets a través de (1) una acción getTicketData en servlet/AJaxServlet o una solicitud directa a (2) swf/flashreport.swf, (3) reports/flash/details.jsp, o (4) reports/CreateReportTable.jsp. • https://www.exploit-db.com/exploits/35904 http://osvdb.org/show/osvdb/117499 http://packetstormsecurity.com/files/130081/ManageEngine-ServiceDesk-Plus-9.0-Privilege-Escalation.html http://www.exploit-db.com/exploits/35904 http://www.manageengine.com/products/service-desk/readme-9.0.html http://www.rewterz.com/vulnerabilities/manageengine-servicedesk-plus-user-privileges-management-vulnerability http://www.securityfocus.com/archive/1/534538/100/0/threaded http://www.securityfocus.com/bid/72302 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •