Shodan
Vulnerabilities
Vulnerable Software
Zohocorp:  >> Manageengine Applications Manager  >> 12.7  Security Vulnerabilities
CVE-2019-11469
Zoho ManageEngine Applications Manager 12 through 14 allows FaultTemplateOptions.jsp resourceid SQL injection. Subsequently, an unauthenticated user can gain the authority of SYSTEM on the server by uploading a malicious file via the "Execute Program Action(s)" feature.
CVSS Score
9.8
EPSS Score
0.047
Published
2019-04-23
CVE-2019-11448
An issue was discovered in Zoho ManageEngine Applications Manager 11.0 through 14.0. An unauthenticated user can gain the authority of SYSTEM on the server due to a Popup_SLA.jsp sid SQL injection vulnerability. For example, the attacker can subsequently write arbitrary text to a .vbs file.
CVSS Score
9.8
EPSS Score
0.195
Published
2019-04-22
CVE-2018-15168
A SQL Injection vulnerability exists in the Zoho ManageEngine Applications Manager 13 before build 13820 via the resids parameter in a /editDisplaynames.do?method=editDisplaynames GET request.
CVSS Score
9.8
EPSS Score
0.019
Published
2018-08-08
CVE-2018-15169
A reflected Cross-site scripting (XSS) vulnerability in Zoho ManageEngine Applications Manager 13 before build 13820 allows remote attackers to inject arbitrary web script or HTML via the /deleteMO.do method parameter.
CVSS Score
6.1
EPSS Score
0.004
Published
2018-08-08
CVE-2018-12996
A reflected Cross-site scripting (XSS) vulnerability in Zoho ManageEngine Applications Manager before 13 (Build 13800) allows remote attackers to inject arbitrary web script or HTML via the parameter 'method' to GraphicalView.do.
CVSS Score
6.1
EPSS Score
0.015
Published
2018-06-29
CVE-2018-7890
A remote code execution issue was discovered in Zoho ManageEngine Applications Manager before 13.6 (build 13640). The publicly accessible testCredential.do endpoint takes multiple user inputs and validates supplied credentials by accessing a specified system. This endpoint calls several internal classes, and then executes a PowerShell script. If the specified system is OfficeSharePointServer, then the username and password parameters to this script are not validated, leading to Command Injection.
CVSS Score
9.8
EPSS Score
0.863
Published
2018-03-08


Products
Pricing
Contact Us

Shodan ® - All rights reserved