Manageengine Desktop Central vulnerabilities

6 known vulnerabilities affecting manageengine/desktop_central.

Total CVEs

6

CISA KEV

0

Public exploits

2

Exploited in wild

0

Severity breakdown

CRITICAL2HIGH2MEDIUM2

Vulnerabilities

Page 1 of 1

CVE-2023-4769HIGHCVSS 8.8v9.1.02023-11-03

CVE-2023-4769 [MEDIUM] CWE-918 CVE-2023-4769: A SSRF vulnerability has been found in ManageEngine Desktop Central affecting version 9.1.0, specifi A SSRF vulnerability has been found in ManageEngine Desktop Central affecting version 9.1.0, specifically the /smtpConfig.do component. This vulnerability could allow an authenticated attacker to launch targeted attacks, such as a cross-port attack, service enumeration and other attacks via HTTP requests.

CVE-2023-4768MEDIUMCVSS 6.1v9.1.02023-11-03

CVE-2023-4768 [MEDIUM] CWE-93 CVE-2023-4768: A CRLF injection vulnerability has been found in ManageEngine Desktop Central affecting version 9.1. A CRLF injection vulnerability has been found in ManageEngine Desktop Central affecting version 9.1.0. This vulnerability could allow a remote attacker to inject arbitrary HTTP headers and perform HTTP response splitting attacks via the fileName parameter in /STATE_ID/1613157927228/InvSWMetering.pdf.

CVE-2023-4767MEDIUMCVSS 6.1v9.1.02023-11-03

CVE-2023-4767 [MEDIUM] CWE-93 CVE-2023-4767: A CRLF injection vulnerability has been found in ManageEngine Desktop Central affecting version 9.1. A CRLF injection vulnerability has been found in ManageEngine Desktop Central affecting version 9.1.0. This vulnerability could allow a remote attacker to inject arbitrary HTTP headers and perform HTTP response splitting attacks via the fileName parameter in /STATE_ID/1613157927228/InvSWMetering.csv.

CVE-2021-28960CRITICALCVSS 9.8fixed in 10.0.6832021-09-21

CVE-2021-28960 [CRITICAL] CWE-77 CVE-2021-28960: Zoho ManageEngine Desktop Central before build 10.0.683 allows unauthenticated command injection due Zoho ManageEngine Desktop Central before build 10.0.683 allows unauthenticated command injection due to improper handling of an input command in on-demand operations.

CVE-2015-8249CRITICALCVSS 9.8PoCv9.02017-09-28

CVE-2015-8249 [CRITICAL] CWE-434 CVE-2015-8249: The FileUploadServlet class in ManageEngine Desktop Central 9 before build 91093 allows remote attac The FileUploadServlet class in ManageEngine Desktop Central 9 before build 91093 allows remote attackers to upload and execute arbitrary files via the ConnectionId parameter.

CVE-2014-3996HIGHCVSS 7.5PoC≤ 9.02014-12-05

CVE-2014-3996 [HIGH] CWE-89 CVE-2014-3996: SQL injection vulnerability in the LinkViewFetchServlet servlet in ManageEngine Desktop Central (DC) SQL injection vulnerability in the LinkViewFetchServlet servlet in ManageEngine Desktop Central (DC) and Desktop Central Managed Service Providers (MSP) edition before 9 build 90043, Password Manager Pro (PMP) and Password Manager Pro Managed Service Providers (MSP) edition before 7 build 7003, IT360 and IT360 Managed Service Providers (MSP) edition befo