An issue was discovered in Zoho ManageEngine ADSelfService Plus 5.x through build 5704. It uses fixed ciphering keys to protect information, giving the capacity for an attacker to decipher any protected data.
zohocorp
CVE-2019-19799
Zoho ManageEngine Applications Manager before 14600 allows a remote unauthenticated attacker to disclose license related information via WieldFeedServlet servlet.
CVE-2019-19800
Zoho ManageEngine Applications Manager 14 before 14520 allows a remote unauthenticated attacker to disclose OS file names via FailOverHelperServlet.
CVE-2019-19649
Zoho ManageEngine Applications Manager before 13620 allows a remote unauthenticated SQL injection via the SyncEventServlet eventid parameter to the SyncEventServlet.java doGet function.
CVE-2019-19650
Zoho ManageEngine Applications Manager before 13640 allows a remote authenticated SQL injection via the Agent servlet agentid parameter to the Agent.java process function.
CVE-2019-19475
An issue was discovered in ManageEngine Applications Manager 14 with Build 14360. Integrated PostgreSQL which is built-in in Applications Manager is prone to attack due to lack of file permission security. The malicious users who are in “Authenticated Users” group can exploit privilege escalation and modify PostgreSQL configuration to execute arbitrary command to escalate and gain full system privilege user access and rights over the system.