Zohocorp Manageengine Desktop Central vulnerabilities

CVE-2017-16924 [CRITICAL] CWE-330 CVE-2017-16924: Remote Information Disclosure and Escalation of Privileges in ManageEngine Desktop Central MSP 10.0. Remote Information Disclosure and Escalation of Privileges in ManageEngine Desktop Central MSP 10.0.137 allows attackers to download unencrypted XML files containing all data for configuration policies via a predictable /client-data//collections/##/usermgmt.xml URL, as demonstrated by passwords and Wi-Fi keys. This is fixed in build 100157.

CVE-2015-2560 [CRITICAL] CWE-264 CVE-2015-2560: Manage Engine Desktop Central 9 before build 90135 allows remote attackers to change passwords of us Manage Engine Desktop Central 9 before build 90135 allows remote attackers to change passwords of users with the Administrator role via an addOrModifyUser operation to servlets/DCOperationsServlet.

CVE-2017-11346 [CRITICAL] CWE-20 CVE-2017-11346: Zoho ManageEngine Desktop Central before build 100092 allows remote attackers to execute arbitrary c Zoho ManageEngine Desktop Central before build 100092 allows remote attackers to execute arbitrary code via vectors involving the upload of help desk videos.

CVE-2014-9331 [MEDIUM] CWE-352 CVE-2014-9331: Cross-site request forgery (CSRF) vulnerability in ZOHO ManageEngine Desktop Central before 9 build Cross-site request forgery (CSRF) vulnerability in ZOHO ManageEngine Desktop Central before 9 build 90130 allows remote attackers to hijack the authentication of administrators for requests that add an administrator account via an addUser action to STATE_ID/1417736606982/roleMgmt.do.

CVE-2014-9371 [CRITICAL] CWE-20 CVE-2014-9371: The NativeAppServlet in ManageEngine Desktop Central MSP before 90075 allows remote attackers to exe The NativeAppServlet in ManageEngine Desktop Central MSP before 90075 allows remote attackers to execute arbitrary code via a crafted JSON object.

CVE-2014-5006 [HIGH] CWE-22 CVE-2014-5006: Directory traversal vulnerability in ZOHO ManageEngine Desktop Central (DC) before 9 build 90055 all Directory traversal vulnerability in ZOHO ManageEngine Desktop Central (DC) before 9 build 90055 allows remote attackers to execute arbitrary code via a .. (dot dot) in the fileName parameter to mdm/mdmLogUploader.

CVE-2014-5005 [HIGH] CWE-22 CVE-2014-5005: Directory traversal vulnerability in ZOHO ManageEngine Desktop Central (DC) before 9 build 90055 all Directory traversal vulnerability in ZOHO ManageEngine Desktop Central (DC) before 9 build 90055 allows remote attackers to execute arbitrary code via a .. (dot dot) in the fileName parameter in an LFU action to statusUpdate.