Manageengine Eventlog Analyzer
by Zohocorp
CVEs (9)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-11687 | Med | 0.40 | 6.1 | 0.01 | Jul 27, 2017 | Multiple Persistent cross-site scripting (XSS) vulnerabilities in Event log parsing and Display functions in Zoho ManageEngine Event Log Analyzer 11.4 and 11.5 allow remote attackers to inject arbitrary web script or HTML via syslog. | ||
| CVE-2017-11686 | Med | 0.40 | 6.1 | 0.02 | Jul 27, 2017 | Zoho ManageEngine Event Log Analyzer 11.4 and 11.5 allows remote attackers to obtain an authenticated user's password via XSS vulnerabilities or sniffing non-SSL traffic on the network, because the password is represented in a cookie with a reversible encoding method. | ||
| CVE-2017-11685 | Med | 0.40 | 6.1 | 0.01 | Jul 27, 2017 | Multiple Reflective cross-site scripting (XSS) vulnerabilities in search and display of event data in Zoho ManageEngine Event Log Analyzer 11.4 and 11.5 allow remote attackers to inject arbitrary web script or HTML, as demonstrated by the fName parameter. | ||
| CVE-2015-7387 | 0.09 | — | 0.80 | Sep 28, 2015 | ZOHO ManageEngine EventLog Analyzer 10.6 build 10060 and earlier allows remote attackers to bypass intended restrictions and execute arbitrary SQL commands via an allowed query followed by a disallowed one in the query parameter to event/runQuery.do, as demonstrated by "SELECT… | |||
| CVE-2019-19774 | 0.04 | — | 0.13 | Dec 13, 2019 | An issue was discovered in Zoho ManageEngine EventLog Analyzer 10.0 SP1 before Build 12110. By running "select hostdetails from hostdetails" at the /event/runquery.do endpoint, it is possible to bypass the security restrictions that prevent even administrative users from viewing… | |||
| CVE-2014-6043 | 0.04 | — | 0.13 | Sep 11, 2014 | ZOHO ManageEngine EventLog Analyzer 9.0 build 9002 and 8.2 build 8020 does not properly restrict access to the database browser, which allows remote authenticated users to obtain access to the database via a direct request to event/runQuery.do. Fixed in Build 10000. | |||
| CVE-2014-6037 | 0.03 | — | 0.84 | Oct 26, 2014 | Directory traversal vulnerability in the agentUpload servlet in ZOHO ManageEngine EventLog Analyzer 9.0 build 9002 and 8.2 build 8020 allows remote attackers to execute arbitrary code by uploading a ZIP file which contains an executable file with .. (dot dot) sequences in its… | |||
| CVE-2014-4930 | 0.00 | — | 0.04 | Aug 29, 2014 | Multiple cross-site scripting (XSS) vulnerabilities in event/index2.do in ManageEngine EventLog Analyzer before 9.0 build 9002 allow remote attackers to inject arbitrary web script or HTML via the (1) width, (2) height, (3) url, (4) helpP, (5) tab, (6) module, (7) completeData,… | |||
| CVE-2014-5103 | 0.00 | — | 0.04 | Jul 25, 2014 | Cross-site scripting (XSS) vulnerability in ZOHO ManageEngine EventLog Analyzer 9 build 9000 allows remote attackers to inject arbitrary web script or HTML via the j_username parameter to event/j_security_check. Fixed in Version 10 Build 10000. |
- risk 0.40cvss 6.1epss 0.01
Multiple Persistent cross-site scripting (XSS) vulnerabilities in Event log parsing and Display functions in Zoho ManageEngine Event Log Analyzer 11.4 and 11.5 allow remote attackers to inject arbitrary web script or HTML via syslog.
- risk 0.40cvss 6.1epss 0.02
Zoho ManageEngine Event Log Analyzer 11.4 and 11.5 allows remote attackers to obtain an authenticated user's password via XSS vulnerabilities or sniffing non-SSL traffic on the network, because the password is represented in a cookie with a reversible encoding method.
- risk 0.40cvss 6.1epss 0.01
Multiple Reflective cross-site scripting (XSS) vulnerabilities in search and display of event data in Zoho ManageEngine Event Log Analyzer 11.4 and 11.5 allow remote attackers to inject arbitrary web script or HTML, as demonstrated by the fName parameter.
- CVE-2015-7387Sep 28, 2015risk 0.09cvss —epss 0.80
ZOHO ManageEngine EventLog Analyzer 10.6 build 10060 and earlier allows remote attackers to bypass intended restrictions and execute arbitrary SQL commands via an allowed query followed by a disallowed one in the query parameter to event/runQuery.do, as demonstrated by "SELECT…
- CVE-2019-19774Dec 13, 2019risk 0.04cvss —epss 0.13
An issue was discovered in Zoho ManageEngine EventLog Analyzer 10.0 SP1 before Build 12110. By running "select hostdetails from hostdetails" at the /event/runquery.do endpoint, it is possible to bypass the security restrictions that prevent even administrative users from viewing…
- CVE-2014-6043Sep 11, 2014risk 0.04cvss —epss 0.13
ZOHO ManageEngine EventLog Analyzer 9.0 build 9002 and 8.2 build 8020 does not properly restrict access to the database browser, which allows remote authenticated users to obtain access to the database via a direct request to event/runQuery.do. Fixed in Build 10000.
- CVE-2014-6037Oct 26, 2014risk 0.03cvss —epss 0.84
Directory traversal vulnerability in the agentUpload servlet in ZOHO ManageEngine EventLog Analyzer 9.0 build 9002 and 8.2 build 8020 allows remote attackers to execute arbitrary code by uploading a ZIP file which contains an executable file with .. (dot dot) sequences in its…
- CVE-2014-4930Aug 29, 2014risk 0.00cvss —epss 0.04
Multiple cross-site scripting (XSS) vulnerabilities in event/index2.do in ManageEngine EventLog Analyzer before 9.0 build 9002 allow remote attackers to inject arbitrary web script or HTML via the (1) width, (2) height, (3) url, (4) helpP, (5) tab, (6) module, (7) completeData,…
- CVE-2014-5103Jul 25, 2014risk 0.00cvss —epss 0.04
Cross-site scripting (XSS) vulnerability in ZOHO ManageEngine EventLog Analyzer 9 build 9000 allows remote attackers to inject arbitrary web script or HTML via the j_username parameter to event/j_security_check. Fixed in Version 10 Build 10000.