MidnightBSD

Advisories for zohocorp

CVE-2010-3272 MEDIUM

accounts/ValidateAnswers in the security-questions implementation in ZOHO ManageEngine ADSelfService Plus before 4.5 Build 4500 makes it easier for remote attackers to reset user passwords, and consequently obtain access to arbitrary user accounts, via a modified (1) Hide_Captcha or (2) quesList parameter in a validateAll action.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
zohocorp manageengine_adselfservice_plus *
CVE-2010-3273 MEDIUM

ZOHO ManageEngine ADSelfService Plus before 4.5 Build 4500 allows remote attackers to reset user passwords, and consequently obtain access to arbitrary user accounts, by providing a user id to accounts/ValidateUser, and then providing a new password to accounts/ResetResult.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
zohocorp manageengine_adselfservice_plus *
CVE-2010-3274 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in EmployeeSearch.cc in the Employee Search Engine in ZOHO ManageEngine ADSelfService Plus before 4.5 Build 4500 allow remote attackers to inject arbitrary web script or HTML via the searchString parameter in a (1) showList or (2) Search action.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zohocorp manageengine_adselfservice_plus *
CVE-2010-5050 MEDIUM

Cross-site scripting (XSS) vulnerability in jsp/admin/tools/remote_share.jsp in ManageEngine ADManager Plus 4.4.0 allows remote attackers to inject arbitrary web script or HTML via the computerName parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zohocorp manageengine_admanager_plus 4.4.0
CVE-2012-5956 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in ManageEngine AssetExplorer 5.6 before service pack 5614 allow remote attackers to inject arbitrary web script or HTML via fields in XML asset data to discoveryServlet/WsDiscoveryServlet, as demonstrated by the DocRoot/Computer_Information/output element.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zohocorp manageengine_assetexplorer *
CVE-2013-7390 HIGH

Unrestricted file upload vulnerability in AgentLogUploadServlet in ManageEngine DesktopCentral 7.x and 8.0.0 before build 80293 allows remote attackers to execute arbitrary code by uploading a file with a jsp extension, then accessing it via a direct request to the file in the webroot.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-434,

Products Affected

Vendor Product Version
zohocorp manageengine_desktop_central *
CVE-2014-0344 MEDIUM

Properties.do in ZOHO ManageEngine OpStor before build 8500 does not properly check privilege levels, which allows remote authenticated users to obtain Admin access by using the name parameter in conjunction with a true value of the edit parameter.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
zohocorp manageengine_opstor *
CVE-2014-100002 MEDIUM

Directory traversal vulnerability in ManageEngine SupportCenter Plus 7.9 before 7917 allows remote attackers to read arbitrary files via a ..%2f (dot dot encoded slash) in the attach parameter to WorkOrder.do in the file attachment for a new ticket.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,

Products Affected

Vendor Product Version
zohocorp manageengine_supportcenter_plus *
CVE-2014-2670 LOW

Cross-site scripting (XSS) vulnerability in Properties.do in ZOHO ManageEngine OpStor before build 8500 allows remote authenticated users to inject arbitrary web script or HTML via the name parameter, a different vulnerability than CVE-2014-0344.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zohocorp manageengine_opstor *
CVE-2014-3779 MEDIUM

Cross-site scripting (XSS) vulnerability in ZOHO ManageEngine ADSelfService Plus before 5.2 Build 5202 allows remote attackers to inject arbitrary web script or HTML via the name parameter to GroupSubscription.do.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zohocorp manageengine_adselfservice_plus *
CVE-2014-3997 HIGH

SQL injection vulnerability in the MetadataServlet servlet in ManageEngine Password Manager Pro (PMP) and Password Manager Pro Managed Service Providers (MSP) edition 5 through 7 build 7003, IT360 and IT360 Managed Service Providers (MSP) edition before 10.3.3 build 10330, and possibly other ManageEngine products, allows remote attackers or remote authenticated users to execute arbitrary SQL commands via the sv parameter to MetadataServlet.dat.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
zohocorp manageengine_password_manager_pro 6.8
zohocorp manageengine_password_manager_pro 6.9
zohocorp manageengine_password_manager_pro 5.0
zohocorp manageengine_password_manager_pro 6.1
zohocorp manageengine_password_manager_pro 6.4
zohocorp manageengine_it360 *
zohocorp manageengine_password_manager_pro 5.2
zohocorp manageengine_password_manager_pro 6.2
zohocorp manageengine_password_manager_pro 6.6
zohocorp manageengine_password_manager_pro 6.7
zohocorp manageengine_password_manager_pro 6.0
zohocorp manageengine_password_manager_pro 6.5
zohocorp manageengine_password_manager_pro 7.0
zohocorp manageengine_password_manager_pro 6.3
zohocorp manageengine_password_manager_pro 5.3
zohocorp manageengine_password_manager_pro 5.1
zohocorp manageengine_password_manager_pro 5.4
CVE-2014-4930 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in event/index2.do in ManageEngine EventLog Analyzer before 9.0 build 9002 allow remote attackers to inject arbitrary web script or HTML via the (1) width, (2) height, (3) url, (4) helpP, (5) tab, (6) module, (7) completeData, (8) RBBNAME, (9) TC, (10) rtype, (11) eventCriteria, (12) q, (13) flushCache, or (14) product parameter. Fixed in Build 11072.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zohocorp manageengine_eventlog_analyzer 7.0
zohocorp manageengine_eventlog_analyzer *
CVE-2014-5005 HIGH

Directory traversal vulnerability in ZOHO ManageEngine Desktop Central (DC) before 9 build 90055 allows remote attackers to execute arbitrary code via a .. (dot dot) in the fileName parameter in an LFU action to statusUpdate.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-22,

Products Affected

Vendor Product Version
zohocorp manageengine_desktop_central *
CVE-2014-5006 HIGH

Directory traversal vulnerability in ZOHO ManageEngine Desktop Central (DC) before 9 build 90055 allows remote attackers to execute arbitrary code via a .. (dot dot) in the fileName parameter to mdm/mdmLogUploader.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-22,

Products Affected

Vendor Product Version
zohocorp manageengine_desktop_central *
CVE-2014-5007 HIGH

Directory traversal vulnerability in the agentLogUploader servlet in ZOHO ManageEngine Desktop Central (DC) and Desktop Central Managed Service Providers (MSP) edition before 9 build 90055 allows remote attackers to write to and execute arbitrary files as SYSTEM via a .. (dot dot) in the filename parameter.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-22,

Products Affected

Vendor Product Version
zohocorp manageengine_desktop_central *
zohocorp manageengine_desktop_central_managed_service_providers *
CVE-2014-5103 MEDIUM

Cross-site scripting (XSS) vulnerability in ZOHO ManageEngine EventLog Analyzer 9 build 9000 allows remote attackers to inject arbitrary web script or HTML via the j_username parameter to event/j_security_check. Fixed in Version 10 Build 10000.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zohocorp manageengine_eventlog_analyzer 9.0
CVE-2014-5445 MEDIUM

Multiple absolute path traversal vulnerabilities in ZOHO ManageEngine Netflow Analyzer 8.6 through 10.2 and IT360 10.3 allow remote attackers or remote authenticated users to read arbitrary files via a full pathname in the schFilePath parameter to the (1) CSVServlet or (2) CReportPDFServlet servlet.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,

Products Affected

Vendor Product Version
zohocorp manageengine_netflow_analyzer *
zohocorp manageengine_it360 10.3.0
CVE-2014-5446 MEDIUM

Directory traversal vulnerability in the DisplayChartPDF servlet in ZOHO ManageEngine Netflow Analyzer 8.6 through 10.2 and IT360 10.3 allows remote attackers and remote authenticated users to read arbitrary files via a .. (dot dot) in the filename parameter.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,

Products Affected

Vendor Product Version
zohocorp manageengine_netflow_analyzer 9.5
zohocorp manageengine_netflow_analyzer 8.6
zohocorp manageengine_netflow_analyzer 9.6
zohocorp manageengine_netflow_analyzer 9.8.5
zohocorp manageengine_netflow_analyzer 10.0
zohocorp manageengine_netflow_analyzer 9.7
zohocorp manageengine_netflow_analyzer 9.0
zohocorp manageengine_netflow_analyzer 10.2
zohocorp manageengine_it360 10.3.0
zohocorp manageengine_netflow_analyzer 9.8.6
zohocorp manageengine_netflow_analyzer 9.8
zohocorp manageengine_netflow_analyzer 9.1
zohocorp manageengine_netflow_analyzer 9.8.7
zohocorp manageengine_netflow_analyzer 9.9
CVE-2014-6034 MEDIUM

Directory traversal vulnerability in the com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector servlet in ZOHO ManageEngine OpManager 8.8 through 11.3, Social IT Plus 11.0, and IT360 10.4 and earlier allows remote attackers or remote authenticated users to write to and execute arbitrary WAR files via a .. (dot dot) in the regionID parameter.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,

Products Affected

Vendor Product Version
zohocorp manageengine_opmanager 9.4
zohocorp manageengine_social_it_plus 11.0
zohocorp manageengine_opmanager 8.8
zohocorp manageengine_opmanager 11.3
zohocorp manageengine_opmanager 11.2
zohocorp manageengine_it360 *
zohocorp manageengine_opmanager 9.0
zohocorp manageengine_opmanager 10.1
zohocorp manageengine_opmanager 11.1
zohocorp manageengine_opmanager 9.1
zohocorp manageengine_opmanager 10.2
zohocorp manageengine_opmanager 9.2
zohocorp manageengine_opmanager 11.0
zohocorp manageengine_opmanager 10.0
CVE-2014-6035 HIGH

Directory traversal vulnerability in the FileCollector servlet in ZOHO ManageEngine OpManager 11.4, 11.3, and earlier allows remote attackers to write and execute arbitrary files via a .. (dot dot) in the FILENAME parameter.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-22,

Products Affected

Vendor Product Version
zohocorp manageengine_opmanager *
zohocorp manageengine_opmanager 11.4
CVE-2014-6036 MEDIUM

Directory traversal vulnerability in the multipartRequest servlet in ZOHO ManageEngine OpManager 11.3 and earlier, Social IT Plus 11.0, and IT360 10.3, 10.4, and earlier allows remote attackers or remote authenticated users to delete arbitrary files via a .. (dot dot) in the fileName parameter.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,

Products Affected

Vendor Product Version
zohocorp manageengine_opmanager *
zohocorp manageengine_social_it_plus 11.0
zohocorp manageengine_it360 10.3.0
zohocorp manageengine_it360 *
CVE-2014-6037 HIGH

Directory traversal vulnerability in the agentUpload servlet in ZOHO ManageEngine EventLog Analyzer 9.0 build 9002 and 8.2 build 8020 allows remote attackers to execute arbitrary code by uploading a ZIP file which contains an executable file with .. (dot dot) sequences in its name, then accessing the executable via a direct request to the file under the web root. Fixed in Build 11072.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-22,

Products Affected

Vendor Product Version
zohocorp manageengine_eventlog_analyzer 8.2
zohocorp manageengine_eventlog_analyzer 9.0
CVE-2014-6038 MEDIUM

Zoho ManageEngine EventLog Analyzer versions 7 through 9.9 build 9002 have a database Information Disclosure Vulnerability. Fixed in EventLog Analyzer 10.0 Build 10000.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
zohocorp manageengine_eventlog_analyzer *
CVE-2014-6039 MEDIUM

ManageEngine EventLog Analyzer version 7 through 9.9 build 9002 has a Credentials Disclosure Vulnerability. Fixed version 10 Build 10000.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-522,

Products Affected

Vendor Product Version
zohocorp manageengine_eventlog_analyzer *
CVE-2014-6043 MEDIUM

ZOHO ManageEngine EventLog Analyzer 9.0 build 9002 and 8.2 build 8020 does not properly restrict access to the database browser, which allows remote authenticated users to obtain access to the database via a direct request to event/runQuery.do. Fixed in Build 10000.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
zohocorp manageengine_eventlog_analyzer 8.2
zohocorp manageengine_eventlog_analyzer 9.0
CVE-2014-7862 HIGH

The DCPluginServelet servlet in ManageEngine Desktop Central and Desktop Central MSP before build 90109 allows remote attackers to create administrator accounts via an addPlugInUser action.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-264,

Products Affected

Vendor Product Version
zohocorp desktop_central *
CVE-2014-7863 MEDIUM

The FailOverHelperServlet (aka FailServlet) servlet in ZOHO ManageEngine Applications Manager before 11.9 build 11912, OpManager 8 through 11.5 build 11400, and IT360 10.5 and earlier does not properly restrict access, which allows remote attackers and remote authenticated users to (1) read arbitrary files via the fileName parameter in a copyfile operation or (2) obtain sensitive information via a directory listing in a listdirectory operation to servlet/FailOverHelperServlet.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
zohocorp manageengine_opmanager *
zohocorp manageengine_applications_manager *
zohocorp manageengine_it360 *
CVE-2014-7864 HIGH

Multiple SQL injection vulnerabilities in the FailOverHelperServlet (aka FailServlet) servlet in ZOHO ManageEngine OpManager 8 through 11.5 build 11400 and IT360 10.5 and earlier allow remote attackers and remote authenticated users to execute arbitrary SQL commands via the (1) customerName or (2) serverRole parameter in a standbyUpdateInCentral operation to servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
zohocorp manageengine_opmanager 9.4
zohocorp manageengine_opmanager 8.8
zohocorp manageengine_opmanager 11.3
zohocorp manageengine_opmanager 11.2
zohocorp manageengine_opmanager 11.5
zohocorp manageengine_opmanager 9.0
zohocorp manageengine_opmanager 10.1
zohocorp manageengine_opmanager 11.1
zohocorp manageengine_opmanager 9.1
zohocorp manageengine_opmanager 10.2
zohocorp manageengine_opmanager 9.2
zohocorp manageengine_opmanager 11.0
zohocorp manageengine_opmanager 11.4
zohocorp manageengine_opmanager 10.0
CVE-2014-7866 HIGH

Multiple directory traversal vulnerabilities in ZOHO ManageEngine OpManager 8 (build 88xx) through 11.4, IT360 10.3 and 10.4, and Social IT Plus 11.0 allow remote attackers or remote authenticated users to write and execute arbitrary files via a .. (dot dot) in the (1) fileName parameter to the MigrateLEEData servlet or (2) zipFileName parameter in a downloadFileFromProbe operation to the MigrateCentralData servlet.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-22,

Products Affected

Vendor Product Version
zohocorp manageengine_opmanager 9.4
zohocorp manageengine_social_it_plus 11.0
zohocorp manageengine_opmanager 8.8
zohocorp manageengine_opmanager 11.3
zohocorp manageengine_opmanager 11.2
zohocorp manageengine_opmanager 9.0
zohocorp manageengine_opmanager 10.1
zohocorp manageengine_it360 10.4
zohocorp manageengine_opmanager 11.1
zohocorp manageengine_opmanager 9.1
zohocorp manageengine_it360 10.3.0
zohocorp manageengine_opmanager 10.2
zohocorp manageengine_opmanager 9.2
zohocorp manageengine_opmanager 11.0
zohocorp manageengine_opmanager 11.4
zohocorp manageengine_opmanager 10.0
CVE-2014-7867 HIGH

SQL injection vulnerability in the com.manageengine.opmanager.servlet.UpdateProbeUpgradeStatus servlet in ZOHO ManageEngine OpManager 11.3 and 11.4, IT360 10.3 and 10.4, and Social IT Plus 11.0 allows remote attackers or remote authenticated users to execute arbitrary SQL commands via the probeName parameter.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
zohocorp manageengine_social_it_plus 11.0
zohocorp manageengine_it360 10.4
zohocorp manageengine_it360 10.3.0
zohocorp manageengine_opmanager 11.3
zohocorp manageengine_opmanager 11.4
CVE-2014-7868 HIGH

Multiple SQL injection vulnerabilities in ZOHO ManageEngine OpManager 11.3 and 11.4, IT360 10.3 and 10.4, and Social IT Plus 11.0 allow remote attackers or remote authenticated users to execute arbitrary SQL commands via the (1) OPM_BVNAME parameter in a Delete operation to the APMBVHandler servlet or (2) query parameter in a compare operation to the DataComparisonServlet servlet.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
zohocorp manageengine_social_it_plus 11.0
zohocorp manageengine_it360 10.4
zohocorp manageengine_it360 10.3.0
zohocorp manageengine_opmanager 11.3
zohocorp manageengine_opmanager 11.4
CVE-2014-8498 MEDIUM

SQL injection vulnerability in BulkEditSearchResult.cc in ManageEngine Password Manager Pro (PMP) and Password Manager Pro Managed Service Providers (MSP) edition before 7.1 build 7105 allows remote authenticated users to execute arbitrary SQL commands via the SEARCH_ALL parameter.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-89,

Products Affected

Vendor Product Version
zohocorp manageengine_password_manager_pro *
CVE-2014-9331 MEDIUM

Cross-site request forgery (CSRF) vulnerability in ZOHO ManageEngine Desktop Central before 9 build 90130 allows remote attackers to hijack the authentication of administrators for requests that add an administrator account via an addUser action to STATE_ID/1417736606982/roleMgmt.do.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
zohocorp manageengine_desktop_central *
CVE-2014-9371 HIGH

The NativeAppServlet in ManageEngine Desktop Central MSP before 90075 allows remote attackers to execute arbitrary code via a crafted JSON object.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
zohocorp manageengine_desktop_central *
CVE-2015-0866 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in Zoho ManageEngine SupportCenter Plus 7.9 before hotfix 7941 allow remote attackers to inject arbitrary web script or HTML via the (1) fromCustomer, (2) username, or (3) password parameter to HomePage.do.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zohocorp manageengine_supportcenter_plus *
CVE-2015-1026 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in ZOHO ManageEngine ADManager Plus before 6.2 Build 6270 allow remote attackers to inject arbitrary web script or HTML via the (1) technicianSearchText parameter to the Help Desk Technician page or (2) rolesSearchText parameter to the Help Desk Roles.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zohocorp manageengine_admanager_plus *
CVE-2015-1479 MEDIUM

SQL injection vulnerability in reports/CreateReportTable.jsp in ZOHO ManageEngine ServiceDesk Plus (SDP) before 9.0 build 9031 allows remote authenticated users to execute arbitrary SQL commands via the site parameter.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-89,

Products Affected

Vendor Product Version
zohocorp servicedesk_plus *
CVE-2015-2169 MEDIUM

Cross-site scripting (XSS) vulnerability in Zoho ManageEngine AssetExplorer 6.1 service pack 6112 allows remote attackers to inject arbitrary web script or HTML via a Publisher registry entry, which is not properly handled when the machine is scanned.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zohocorp manageengine_assetexplorer 6.1
CVE-2015-2560 MEDIUM

Manage Engine Desktop Central 9 before build 90135 allows remote attackers to change passwords of users with the Administrator role via an addOrModifyUser operation to servlets/DCOperationsServlet.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
zohocorp manageengine_desktop_central 9.0
CVE-2015-2959 HIGH

Zoho NetFlow Analyzer build 10250 and earlier does not check for administrative authorization, which allows remote attackers to obtain sensitive information, modify passwords, or remove accounts by leveraging the guest role.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-284,

Products Affected

Vendor Product Version
zohocorp manageengine_netflow_analyzer -
CVE-2015-2960 MEDIUM

Cross-site scripting (XSS) vulnerability in Zoho NetFlow Analyzer build 10250 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zohocorp manageengine_netflow_analyzer -
CVE-2015-2961 MEDIUM

Cross-site request forgery (CSRF) vulnerability in Zoho NetFlow Analyzer build 10250 and earlier allows remote attackers to hijack the authentication of administrators.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
zohocorp manageengine_netflow_analyzer -
CVE-2015-4418 MEDIUM

Zoho NetFlow Analyzer build 10250 and earlier does not have an off autocomplete attribute for a password field, which makes it easier for remote attackers to obtain access by leveraging an unattended workstation.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-284,

Products Affected

Vendor Product Version
zohocorp manageengine_netflow_analyzer -
CVE-2015-5061 LOW

Cross-site scripting (XSS) vulnerability in Zoho ManageEngine AssetExplorer 6.1 service pack 6112 and earlier allows remote authenticated users with permissions to add new vendors to inject arbitrary web script or HTML via the organizationName parameter to VendorDef.do.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zohocorp manageengine_assetexplorer 6.1
CVE-2015-5149 MEDIUM

Directory traversal vulnerability in Zoho ManageEngine SupportCenter Plus 7.90 allows remote authenticated users to write to arbitrary files via a .. (dot dot) in the component parameter in the Request component to workorder/Attachment.jsp.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,

Products Affected

Vendor Product Version
zohocorp manageengine_supportcenter_plus 7.90
CVE-2015-5150 LOW

Multiple cross-site scripting (XSS) vulnerabilities in Zoho ManageEngine SupportCenter Plus 7.90 allow remote authenticated users to inject arbitrary web script or HTML via the (1) query parameter in the run_query_editor_query module to CustomReportHandler.do, (2) compAcct parameter to jsp/ResetADPwd.jsp, or (3) redirectTo parameter to jsp/CacheScreenWidth.jsp.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zohocorp manageengine_supportcenter_plus 7.90
CVE-2015-5459 MEDIUM

SQL injection vulnerability in the AdvanceSearch.class in AdventNetPassTrix.jar in ManageEngine Password Manager Pro (PMP) before 8.1 Build 8101 allows remote authenticated users to execute arbitrary SQL commands via the ANDOR parameter, as demonstrated by a request to STATE_ID/1425543888647/SQLAdvancedALSearchResult.cc.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-89,

Products Affected

Vendor Product Version
zohocorp manageengine_password_manager_pro *
CVE-2015-7387 HIGH

ZOHO ManageEngine EventLog Analyzer 10.6 build 10060 and earlier allows remote attackers to bypass intended restrictions and execute arbitrary SQL commands via an allowed query followed by a disallowed one in the query parameter to event/runQuery.do, as demonstrated by "SELECT 1;INSERT INTO." Fixed in Build 11200.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
zohocorp manageengine_eventlog_analyzer *
CVE-2015-7765 HIGH

ZOHO ManageEngine OpManager 11.5 build 11600 and earlier uses a hardcoded password of "plugin" for the IntegrationUser account, which allows remote authenticated users to obtain administrator access by leveraging knowledge of this password.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
zohocorp manageengine_opmanager 11.5
CVE-2015-7766 HIGH

PGSQL:SubmitQuery.do in ZOHO ManageEngine OpManager 11.6, 11.5, and earlier allows remote administrators to bypass SQL query restrictions via a comment in the query to api/json/admin/SubmitQuery, as demonstrated by "INSERT/**/INTO."

CVSS 2.0

Severity: HIGH

Problem Type: CWE-264,

Products Affected

Vendor Product Version
zohocorp manageengine_opmanager *
zohocorp manageengine_opmanager 11.6
CVE-2015-7780 MEDIUM

Directory traversal vulnerability in ManageEngine Firewall Analyzer before 8.0.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,

Products Affected

Vendor Product Version
zohocorp manageengine_firewall_analyzer *
CVE-2015-7781 MEDIUM

ManageEngine Firewall Analyzer before 8.0 does not restrict access permissions.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-275,

Products Affected

Vendor Product Version
zohocorp manageengine_firewall_analyzer *
CVE-2015-9107 MEDIUM

Zoho ManageEngine OpManager 11 through 12.2 uses a custom encryption algorithm to protect the credential used to access the monitored devices. The implemented algorithm doesn't use a per-system key or even a salt; therefore, it's possible to create a universal decryptor.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-310,

Products Affected

Vendor Product Version
zohocorp manageengine_opmanager 12.2
zohocorp manageengine_opmanager 11.1
zohocorp manageengine_opmanager 11.3
zohocorp manageengine_opmanager 11.0
zohocorp manageengine_opmanager 11.2
zohocorp manageengine_opmanager 11.5
zohocorp manageengine_opmanager 11.6
zohocorp manageengine_opmanager 11.4
CVE-2016-1159 MEDIUM

In ZOHO Password Manager Pro (PMP) 8.3.0 (Build 8303) and 8.4.0 (Build 8400,8401,8402), underprivileged users can obtain sensitive information (entry password history) via a vulnerable hidden service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
zohocorp manageengine_password_manager_pro 8.3
zohocorp manageengine_password_manager_pro 8.4
CVE-2016-1161 MEDIUM

Cross-site request forgery (CSRF) vulnerability in ManageEngine Password Manager Pro before 8.5 (Build 8500).

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
zohocorp password_manager_pro *
CVE-2016-4888 LOW

Cross-site scripting (XSS) vulnerability in ZOHO ManageEngine ServiceDesk Plus before 9.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zohocorp servicedesk_plus *
CVE-2016-4889 MEDIUM

ZOHO ManageEngine ServiceDesk Plus before 9.0 allows remote authenticated guest users to have unspecified impact by leveraging failure to restrict access to unknown functions.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
zohocorp servicedesk_plus *
CVE-2016-4890 MEDIUM

ZOHO ManageEngine ServiceDesk Plus before 9.2 uses an insecure method for generating cookies, which makes it easier for attackers to obtain sensitive password information by leveraging access to a cookie.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-254,

Products Affected

Vendor Product Version
zohocorp servicedesk_plus *
CVE-2016-6600 HIGH

Directory traversal vulnerability in the file upload functionality in ZOHO WebNMS Framework 5.2 and 5.2 SP1 allows remote attackers to upload and execute arbitrary JSP files via a .. (dot dot) in the fileName parameter to servlets/FileUploadServlet.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-22,

Products Affected

Vendor Product Version
zohocorp webnms_framework 5.2
CVE-2016-6601 MEDIUM

Directory traversal vulnerability in the file download functionality in ZOHO WebNMS Framework 5.2 and 5.2 SP1 allows remote attackers to read arbitrary files via a .. (dot dot) in the fileName parameter to servlets/FetchFile.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,

Products Affected

Vendor Product Version
zohocorp webnms_framework 5.2
CVE-2016-6602 MEDIUM

ZOHO WebNMS Framework 5.2 and 5.2 SP1 use a weak obfuscation algorithm to store passwords, which allows context-dependent attackers to obtain cleartext passwords by leveraging access to WEB-INF/conf/securitydbData.xml. NOTE: this issue can be combined with CVE-2016-6601 for a remote exploit.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-327,

Products Affected

Vendor Product Version
zohocorp webnms_framework 5.2
CVE-2016-6603 MEDIUM

ZOHO WebNMS Framework 5.2 and 5.2 SP1 allows remote attackers to bypass authentication and impersonate arbitrary users via the UserName HTTP header.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
zohocorp webnms_framework 5.2
CVE-2016-9489 MEDIUM

In ManageEngine Applications Manager 12 and 13 before build 13200, an authenticated user is able to alter all of their own properties, including own group, i.e. changing their group to one with higher privileges like "ADMIN". A user is also able to change properties of another user, e.g. change another user's password.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-269,CWE-255,CWE-264,

Products Affected

Vendor Product Version
zohocorp manageengine_applications_manager 12.0
zohocorp manageengine_applications_manager 13.0
CVE-2016-9491 MEDIUM

ManageEngine Applications Manager 12 and 13 before build 13690 allows an authenticated user, who is able to access /register.do page (most likely limited to administrator), to browse the filesystem and read the system files, including Applications Manager configuration, stored private keys, etc. By default Application Manager is running with administrative privileges, therefore it is possible to access every directory on the underlying operating system.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-611,CWE-200,

Products Affected

Vendor Product Version
zohocorp manageengine_applications_manager 12.0
zohocorp manageengine_applications_manager 13.0
CVE-2016-9498 HIGH

ManageEngine Applications Manager 12 and 13 before build 13200, allows unserialization of unsafe Java objects. The vulnerability can be exploited by remote user without authentication and it allows to execute remote code compromising the application as well as the operating system. As Application Manager's RMI registry is running with privileges of system administrator, by exploiting this vulnerability an attacker gains highest privileges on the underlying operating system.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-502,CWE-502,

Products Affected

Vendor Product Version
zohocorp manageengine_applications_manager 12.0
zohocorp manageengine_applications_manager 13.0
CVE-2017-11346 HIGH

Zoho ManageEngine Desktop Central before build 100092 allows remote attackers to execute arbitrary code via vectors involving the upload of help desk videos.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
zohocorp manageengine_desktop_central *
CVE-2017-11557 MEDIUM

An issue was discovered in ZOHO ManageEngine Applications Manager 12.3. It is possible for an unauthenticated user to view the list of domain names and usernames used in a company's network environment via a userconfiguration.do?method=editUser request.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
zohocorp manageengine_applications_manager 12.3
CVE-2017-11559 MEDIUM

An issue was discovered in ZOHO ManageEngine OpManager 12.2. The 'apiKey' parameter of "/api/json/admin/getmailserversettings" and "/api/json/dashboard/gotoverviewlist" is vulnerable to a Blind SQL Injection attack.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-89,

Products Affected

Vendor Product Version
zohocorp manageengine_opmanager 12.2
CVE-2017-11560 LOW

An issue was discovered in ZOHO ManageEngine OpManager 12.2. By adding a Google Map to the application, an authenticated user can upload an HTML file. This HTML file is then rendered in various locations of the application. JavaScript inside the uploaded HTML is also interpreted by the application. Thus, an attacker can inject a malicious JavaScript payload inside the HTML file and upload it to the application.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zohocorp manageengine_opmanager 12.2
CVE-2017-11561 MEDIUM

An issue was discovered in ZOHO ManageEngine OpManager 12.2. An authenticated user can upload any file they want to share in the "Group Chat" or "Alarm" section. This functionality can be abused by a malicious user by uploading a web shell.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-434,

Products Affected

Vendor Product Version
zohocorp manageengine_opmanager 12.2
CVE-2017-11685 MEDIUM

Multiple Reflective cross-site scripting (XSS) vulnerabilities in search and display of event data in Zoho ManageEngine Event Log Analyzer 11.4 and 11.5 allow remote attackers to inject arbitrary web script or HTML, as demonstrated by the fName parameter.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zohocorp manageengine_eventlog_analyzer 11.5
zohocorp manageengine_eventlog_analyzer 11.4
CVE-2017-11686 MEDIUM

Zoho ManageEngine Event Log Analyzer 11.4 and 11.5 allows remote attackers to obtain an authenticated user's password via XSS vulnerabilities or sniffing non-SSL traffic on the network, because the password is represented in a cookie with a reversible encoding method.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zohocorp manageengine_eventlog_analyzer 11.5
zohocorp manageengine_eventlog_analyzer 11.4
CVE-2017-11687 MEDIUM

Multiple Persistent cross-site scripting (XSS) vulnerabilities in Event log parsing and Display functions in Zoho ManageEngine Event Log Analyzer 11.4 and 11.5 allow remote attackers to inject arbitrary web script or HTML via syslog.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zohocorp manageengine_eventlog_analyzer 11.5
zohocorp manageengine_eventlog_analyzer 11.4
CVE-2017-11738 MEDIUM

In Zoho ManageEngine Application Manager prior to 14.6 Build 14660, the 'haid' parameter of the '/auditLogAction.do' module is vulnerable to a Time-based Blind SQL Injection attack.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-89,

Products Affected

Vendor Product Version
zohocorp manageengine_applications_manager 13.1
CVE-2017-11739 MEDIUM

In Zoho ManageEngine Application Manager 13.1 Build 13100, an authenticated user, with administrative privileges, has the ability to add a widget on any dashboard. This widget can be a "Utility Widget" with a "Custom HTML or Text" field. Once this widget is created, it will be loaded on the dashboard where it was added. An attacker can abuse this functionality by creating a "Utility Widget" that contains malicious JavaScript code, aka XSS.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zohocorp manageengine_applications_manager 13.1
CVE-2017-11740 MEDIUM

In Zoho ManageEngine Application Manager 13.1 Build 13100, the administrative user has the ability to upload files/binaries that can be executed upon the occurrence of an alarm. An attacker can abuse this functionality by uploading a malicious script that can be executed on the remote system.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
zohocorp manageengine_applications_manager 13.1
CVE-2017-14123 HIGH

Zoho ManageEngine Firewall Analyzer 12200 has an unrestricted File Upload vulnerability in the "Group Chat" section. Any user can upload files with any extensions. By uploading a PHP file to the server, an attacker can cause it to execute in the server context, as demonstrated by /itplus/FileStorage/302/shell.jsp.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-434,

Products Affected

Vendor Product Version
zohocorp manageengine_firewall_analyzer 12.2
CVE-2017-14582 MEDIUM

The Zoho Site24x7 Mobile Network Poller application before 1.1.5 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a self-signed certificate.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-295,

Products Affected

Vendor Product Version
zohocorp site24x7_mobile_network_poller *
CVE-2017-16542 MEDIUM

Zoho ManageEngine Applications Manager 13 before build 13500 allows Post-authentication SQL injection via the name parameter in a manageApplications.do?method=insert request.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-89,

Products Affected

Vendor Product Version
zohocorp manageengine_applications_manager 13.0
CVE-2017-16543 HIGH

Zoho ManageEngine Applications Manager 13 before build 13500 allows SQL injection via GraphicalView.do, as demonstrated by a crafted viewProps yCanvas field or viewid parameter.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
zohocorp manageengine_applications_manager 13.0
CVE-2017-16846 HIGH

Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /manageApplications.do?method=AddSubGroup haid parameter.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
zohocorp manageengine_applications_manager 13.0
CVE-2017-16847 HIGH

Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /showresource.do resourceid parameter in a showPlasmaView action.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
zohocorp manageengine_applications_manager 13.0
CVE-2017-16848 HIGH

Zoho ManageEngine Applications Manager 13 allows SQL injection via the /manageConfMons.do groupname parameter.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
zohocorp manageengine_applications_manager 13.0
CVE-2017-16849 HIGH

Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /MyPage.do?method=viewDashBoard forpage parameter.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
zohocorp manageengine_applications_manager 13.0
CVE-2017-16850 HIGH

Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /showresource.do resourceid parameter in a getResourceProfiles action.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
zohocorp manageengine_applications_manager 13.0
CVE-2017-16851 HIGH

Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /MyPage.do widgetid parameter.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
zohocorp manageengine_applications_manager 13.0
CVE-2017-16924 MEDIUM

Remote Information Disclosure and Escalation of Privileges in ManageEngine Desktop Central MSP 10.0.137 allows attackers to download unencrypted XML files containing all data for configuration policies via a predictable /client-data/<client_id>/collections/##/usermgmt.xml URL, as demonstrated by passwords and Wi-Fi keys. This is fixed in build 100157.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-330,

Products Affected

Vendor Product Version
zohocorp manageengine_desktop_central 10.0.137
CVE-2017-17552 MEDIUM

/LoadFrame in Zoho ManageEngine AD Manager Plus build 6590 - 6613 allows attackers to conduct URL Redirection attacks via the src parameter, resulting in a bypass of CSRF protection, or potentially masquerading a malicious URL as trusted.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
zohocorp manageengine_admanager_plus 6.6
zohocorp manageengine_admanager_plus *
CVE-2017-17698 MEDIUM

Zoho ManageEngine Password Manager Pro 9 before 9.4 (9400) has reflected XSS in SearchResult.ec and BulkAccessControlView.ec.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zohocorp manageengine_password_manager_pro *
CVE-2017-7213 HIGH

Zoho ManageEngine Desktop Central before build 100082 allows remote attackers to obtain control over all connected active desktops via unspecified vectors.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
zohocorp manageengine_desktop_central -
CVE-2017-9362 MEDIUM

ManageEngine ServiceDesk Plus before 9312 contains an XML injection at add Configuration items CMDB API.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-611,

Products Affected

Vendor Product Version
zohocorp manageengine_servicedesk_plus *
CVE-2017-9376 MEDIUM

ManageEngine ServiceDesk Plus before 9314 contains a local file inclusion vulnerability in the defModule parameter in DefaultConfigDef.do and AssetDefaultConfigDef.do.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
zohocorp manageengine_servicedesk_plus *
CVE-2018-10075 MEDIUM

Cross-site scripting (XSS) vulnerability in Zoho ManageEngine EventLog Analyzer 11.12 allows remote attackers to inject arbitrary web script or HTML via the import logs feature.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zohocorp manageengine_eventlog_analyzer 11.12
CVE-2018-10076 MEDIUM

An issue was discovered in Zoho ManageEngine EventLog Analyzer 11.12. A Cross-Site Scripting vulnerability allows a remote attacker to inject arbitrary web script or HTML via the search functionality (the search box of the Dashboard).

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zohocorp manageengine_eventlog_analyzer 11.12
CVE-2018-10466 HIGH

Zoho ManageEngine ADAudit Plus before 5.0.0 build 5100 allows blind SQL Injection.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
zohocorp manageengine_adaudit_plus *
CVE-2018-10803 MEDIUM

Cross-site scripting (XSS) vulnerability in the add credentials functionality in Zoho ManageEngine NetFlow Analyzer v12.3 before 12.3.125 (build 123125) allows remote attackers to inject arbitrary web script or HTML via a crafted description value. This can be exploited through CSRF.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,CWE-352,

Products Affected

Vendor Product Version
zohocorp manageengine_netflow_analyzer *
CVE-2018-11716 MEDIUM

An issue was discovered in Zoho ManageEngine Desktop Central before 100230. There is unauthenticated remote access to all log files of a Desktop Central instance containing critical information (private information such as location of enrolled devices, cleartext passwords, patching level, etc.) via a GET request on port 8022, 8443, or 8444.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-532,

Products Affected

Vendor Product Version
zohocorp manageengine_desktop_central *
CVE-2018-11717 MEDIUM

An issue was discovered in Zoho ManageEngine Desktop Central before 100251. By leveraging access to a log file, a context-dependent attacker can obtain (depending on the modules configured) the Base64 encoded Password/Username of AD accounts, the cleartext Password/Username and mail settings of the EAS account (an AD account used to send mail), the cleartext password of recovery_password of Android devices, the cleartext password of account "set", the location of devices enrolled in the platform (with UUID and information related to the name of the person at the location), critical information about all enrolled devices such as Serial Number, UUID, Model, Name, and auth_session_token (usable to spoof a terminal identity on the platform), etc.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-532,

Products Affected

Vendor Product Version
zohocorp manageengine_desktop_central *
CVE-2018-11808 HIGH

Incorrect Access Control in CustomFieldsFeedServlet in Zoho ManageEngine Applications Manager Version 13 before build 13740 allows an attacker to delete any file and read certain files on the server in the context of the user (which by default is "NT AUTHORITY / SYSTEM") by sending a specially crafted request to the server.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
zohocorp manageengine_applications_manager 13
CVE-2018-12996 MEDIUM

A reflected Cross-site scripting (XSS) vulnerability in Zoho ManageEngine Applications Manager before 13 (Build 13800) allows remote attackers to inject arbitrary web script or HTML via the parameter 'method' to GraphicalView.do.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zohocorp manageengine_applications_manager *
CVE-2018-12997 MEDIUM

Incorrect Access Control in FailOverHelperServlet in Zoho ManageEngine Netflow Analyzer before build 123137, Network Configuration Manager before build 123128, OpManager before build 123148, OpUtils before build 123161, and Firewall Analyzer before build 123147 allows attackers to read certain files on the web server without login by sending a specially crafted request to the server with the operation=copyfile&fileName= substring.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
zohocorp manageengine_network_configuration_manager -
zohocorp manageengine_oputils -
zohocorp firewall_analyzer -
zohocorp manageengine_netflow_analyzer -
zohocorp manageengine_opmanager -
CVE-2018-12998 MEDIUM

A reflected Cross-site scripting (XSS) vulnerability in Zoho ManageEngine Netflow Analyzer before build 123137, Network Configuration Manager before build 123128, OpManager before build 123148, OpUtils before build 123161, and Firewall Analyzer before build 123147 allows remote attackers to inject arbitrary web script or HTML via the parameter 'operation' to /servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zohocorp manageengine_network_configuration_manager -
zohocorp manageengine_oputils -
zohocorp firewall_analyzer -
zohocorp manageengine_netflow_analyzer -
zohocorp manageengine_opmanager -
CVE-2018-12999 MEDIUM

Incorrect Access Control in AgentTrayIconServlet in Zoho ManageEngine Desktop Central 10.0.255 allows attackers to delete certain files on the web server without login by sending a specially crafted request to the server with a computerName=../ substring to the /agenttrayicon URI.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
zohocorp manageengine_desktop_central 10.0.255
CVE-2018-13050 HIGH

A SQL Injection vulnerability exists in Zoho ManageEngine Applications Manager 13.x before build 13800 via the j_username parameter in a /j_security_check POST request.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
zohocorp manageengine_applications_manager 13.0
CVE-2018-13411 HIGH

An issue was discovered in Zoho ManageEngine Desktop Central before 10.0.282. A clickable company logo in a window running as SYSTEM can be abused to escalate privileges. In cloud, the issue is fixed in 10.0.470 agent version.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-732,

Products Affected

Vendor Product Version
zohocorp manageengine_desktop_central *
CVE-2018-13412 HIGH

An issue was discovered in the Self Service Portal in Zoho ManageEngine Desktop Central before 10.0.282. A clickable company logo in a window running as SYSTEM can be abused to escalate privileges. In cloud, the issue is fixed in 10.0.470 agent version.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-732,

Products Affected

Vendor Product Version
zohocorp manageengine_desktop_central *
CVE-2018-15168 HIGH

A SQL Injection vulnerability exists in the Zoho ManageEngine Applications Manager 13 before build 13820 via the resids parameter in a /editDisplaynames.do?method=editDisplaynames GET request.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
zohocorp manageengine_applications_manager *
CVE-2018-15169 MEDIUM

A reflected Cross-site scripting (XSS) vulnerability in Zoho ManageEngine Applications Manager 13 before build 13820 allows remote attackers to inject arbitrary web script or HTML via the /deleteMO.do method parameter.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zohocorp manageengine_applications_manager *
CVE-2018-15740 MEDIUM

Zoho ManageEngine ADManager Plus 6.5.7 has XSS on the "Workflow Delegation" "Requester Roles" screen.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zohocorp manageengine_admanager_plus 6.5.7
CVE-2018-16364 HIGH

A serialization vulnerability in Zoho ManageEngine Applications Manager before build 13740 allows for remote code execution on Windows via a payload on an SMB share.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-502,

Products Affected

Vendor Product Version
zohocorp manageengine_applications_manager 13.7
CVE-2018-16833 MEDIUM

Zoho ManageEngine Desktop Central 10.0.271 has XSS via the "Features & Articles" search field to the /advsearch.do?SUBREQUEST=XMLHTTP URI.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zohocorp manageengine_desktop_central 10.0.271
CVE-2018-16965 MEDIUM

In Zoho ManageEngine SupportCenter Plus before 8.1 Build 8109, there is HTML Injection and Stored XSS via the /ServiceContractDef.do contractName parameter.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zohocorp manageengine_supportcenter_plus *
CVE-2018-17243 HIGH

Global Search in Zoho ManageEngine OpManager before 12.3 123205 allows SQL Injection.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
zohocorp manageengine_opmanager *
CVE-2018-17283 MEDIUM

Zoho ManageEngine OpManager before 12.3 Build 123196 does not require authentication for /oputilsServlet requests, as demonstrated by a /oputilsServlet?action=getAPIKey request that can be leveraged against Firewall Analyzer to add an admin user via /api/json/v2/admin/addUser or conduct a SQL Injection attack via the /api/json/device/setManaged name parameter.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-89,

Products Affected

Vendor Product Version
zohocorp manageengine_opmanager *
CVE-2018-17596 MEDIUM

In Zoho ManageEngine AssetExplorer, a Stored XSS vulnerability was discovered in the 6.2.0 version via the /AssetDef.do ciName or assetName parameter.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zohocorp manageengine_assetexplorer 6.2.0
CVE-2018-18262 MEDIUM

Zoho ManageEngine OpManager 12.3 before build 123214 has XSS.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zohocorp manageengine_opmanager 12.3
CVE-2018-18475 HIGH

Zoho ManageEngine OpManager before 12.3 build 123214 allows Unrestricted Arbitrary File Upload.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-434,

Products Affected

Vendor Product Version
zohocorp manageengine_opmanager 12.3
CVE-2018-18715 MEDIUM

Zoho ManageEngine OpManager 12.3 before 123219 has stored XSS.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zohocorp manageengine_opmanager 12.3
CVE-2018-18716 MEDIUM

Zoho ManageEngine OpManager 12.3 before 123219 has a Self XSS Vulnerability.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zohocorp manageengine_opmanager 12.3
zohocorp manageengine_opmanager 11.5
zohocorp manageengine_opmanager 11.4
CVE-2018-18949 HIGH

Zoho ManageEngine OpManager 12.3 before 123222 has SQL Injection via Mail Server settings.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
zohocorp manageengine_opmanager 12.3
zohocorp manageengine_opmanager 11.5
zohocorp manageengine_opmanager 11.4
CVE-2018-18980 MEDIUM

An XML External Entity injection (XXE) vulnerability exists in Zoho ManageEngine Network Configuration Manager and OpManager before 12.3.214 via the RequestXML parameter in a /devices/ProcessRequest.do GET request. For example, the attacker can trigger the transmission of local files to an arbitrary remote FTP server.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-611,

Products Affected

Vendor Product Version
zohocorp manageengine_opmanager *
zohocorp manageengine_network_configuration_manager *
CVE-2018-19118 MEDIUM

Zoho ManageEngine ADAudit before 5.1 build 5120 allows remote attackers to cause a denial of service (stack-based buffer overflow) via the 'Domain Name' field when adding a new domain.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-787,

Products Affected

Vendor Product Version
zohocorp manageengine_adaudit_plus *
CVE-2018-19288 MEDIUM

Zoho ManageEngine OpManager 12.3 before Build 123223 has XSS via the updateWidget API.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zohocorp manageengine_opmanager 12.3
zohocorp manageengine_opmanager 11.5
zohocorp manageengine_opmanager 11.4
CVE-2018-19374 MEDIUM

Zoho ManageEngine ADManager Plus 6.6 Build 6657 allows local users to gain privileges (after a reboot) by placing a Trojan horse file into the permissive bin directory.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-732,

Products Affected

Vendor Product Version
zohocorp manageengine_admanager_plus 6.6
CVE-2018-19921 MEDIUM

Zoho ManageEngine OpManager 12.3 before 123237 has XSS in the domain controller.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zohocorp manageengine_opmanager 123230
zohocorp manageengine_opmanager 123229
zohocorp manageengine_opmanager 123223
zohocorp manageengine_opmanager 12.3
zohocorp manageengine_opmanager 123224
zohocorp manageengine_opmanager 123231
zohocorp manageengine_opmanager 11.5
zohocorp manageengine_opmanager 123222
zohocorp manageengine_opmanager 11.4
CVE-2018-20173 HIGH

Zoho ManageEngine OpManager 12.3 before 123238 allows SQL injection via the getGraphData API.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
zohocorp manageengine_opmanager 12.3
CVE-2018-20338 HIGH

Zoho ManageEngine OpManager 12.3 before build 123239 allows SQL injection in the Alarms section.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
zohocorp manageengine_opmanager 12.3
CVE-2018-20339 MEDIUM

Zoho ManageEngine OpManager 12.3 before build 123239 allows XSS in the Notes column of the Alarms section.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zohocorp manageengine_opmanager 12.3
CVE-2018-20484 MEDIUM

Zoho ManageEngine ADSelfService Plus 5.7 before build 5702 has XSS in the self-update layout implementation.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zohocorp manageengine_adselfservice_plus 5.7
CVE-2018-20485 MEDIUM

Zoho ManageEngine ADSelfService Plus 5.7 before build 5702 has XSS in the employee search feature.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zohocorp manageengine_adselfservice_plus 5.4
zohocorp manageengine_adselfservice_plus 5.5
zohocorp manageengine_adselfservice_plus 4.5
zohocorp manageengine_adselfservice_plus 5.1
zohocorp manageengine_adselfservice_plus 5.6
zohocorp manageengine_adselfservice_plus 5.2
zohocorp manageengine_adselfservice_plus 5.7
zohocorp manageengine_adselfservice_plus 5.0
zohocorp manageengine_adselfservice_plus 5.3
CVE-2018-20664 HIGH

Zoho ManageEngine ADSelfService Plus 5.x before build 5701 has XXE via an uploaded product license.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-611,

Products Affected

Vendor Product Version
zohocorp manageengine_adselfservice_plus 5.7
CVE-2018-5337 HIGH

An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 and 10.0.184: directory traversal in the SCRIPT_NAME field when modifying existing scripts.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-22,

Products Affected

Vendor Product Version
zohocorp manageengine_desktop_central 10.0.184
zohocorp manageengine_desktop_central 10.0.124
CVE-2018-5338 HIGH

An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 and 10.0.184: missing authentication/authorization for a database query mechanism.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-306,

Products Affected

Vendor Product Version
zohocorp manageengine_desktop_central 10.0.184
zohocorp manageengine_desktop_central 10.0.124
CVE-2018-5339 HIGH

An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 and 10.0.184: insufficient enforcement of database query type restrictions.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-306,

Products Affected

Vendor Product Version
zohocorp manageengine_desktop_central 10.0.184
zohocorp manageengine_desktop_central 10.0.124
CVE-2018-5340 MEDIUM

An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 and 10.0.184: database access using a superuser account (specifically, an account with permission to write to the filesystem via SQL queries).

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
zohocorp manageengine_desktop_central 10.0.184
zohocorp manageengine_desktop_central 10.0.124
CVE-2018-5341 HIGH

An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 and 10.0.184: a missing server-side check on the file type/extension when uploading and modifying scripts.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
zohocorp manageengine_desktop_central 10.0.184
zohocorp manageengine_desktop_central 10.0.124
CVE-2018-5342 MEDIUM

An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 and 10.0.184: network services (Desktop Central and PostgreSQL) running with a superuser account.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-732,

Products Affected

Vendor Product Version
zohocorp manageengine_desktop_central 10.0.184
zohocorp manageengine_desktop_central 10.0.124
CVE-2018-5353 HIGH

The custom GINA/CP module in Zoho ManageEngine ADSelfService Plus before 5.5 build 5517 allows remote attackers to execute code and escalate privileges via spoofing. It does not authenticate the intended server before opening a browser window. An unauthenticated attacker capable of conducting a spoofing attack can redirect the browser to gain execution in the context of the WinLogon.exe process. If Network Level Authentication is not enforced, the vulnerability can be exploited via RDP. Additionally, if the web server has a misconfigured certificate then no spoofing attack is required

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-290,

Products Affected

Vendor Product Version
zohocorp manageengine_adselfservice_plus 5.5
zohocorp manageengine_adselfservice_plus *
CVE-2018-5799 MEDIUM

In Zoho ManageEngine ServiceDesk Plus before 9403, an XSS issue allows an attacker to run arbitrary JavaScript via a /api/request/?OPERATION_NAME= URI, aka SD-69139.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zohocorp manageengine_servicedesk_plus *
CVE-2018-7248 MEDIUM

An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3 Build 9317. Unauthenticated users are able to validate domain user accounts by sending a request containing the username to an API endpoint. The endpoint will return the user's logon domain if the accounts exists, or 'null' if it does not.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
zohocorp manageengine_servicedesk_plus 9.3
CVE-2018-7405 MEDIUM

Cross-site scripting (XSS) in Zoho ManageEngine EventLog Analyzer before 11.12 Build 11120 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zohocorp manageengine_eventlog_analyzer *
CVE-2018-7890 HIGH

A remote code execution issue was discovered in Zoho ManageEngine Applications Manager before 13.6 (build 13640). The publicly accessible testCredential.do endpoint takes multiple user inputs and validates supplied credentials by accessing a specified system. This endpoint calls several internal classes, and then executes a PowerShell script. If the specified system is OfficeSharePointServer, then the username and password parameters to this script are not validated, leading to Command Injection.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-78,

Products Affected

Vendor Product Version
zohocorp manageengine_applications_manager *
CVE-2018-8721 MEDIUM

Zoho ManageEngine EventLog Analyzer version 11.0 build 11000 has Stored XSS related to the index2.do?url=editAlertForm&tab=alert&alert=profile URI and the Edit Alert Profile screen

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zohocorp manageengine_eventlog_analyzer 11.0
CVE-2018-8722 MEDIUM

Zoho ManageEngine Desktop Central version 9.1.0 build 91099 has multiple XSS issues that were fixed in build 92026.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zohocorp manageengine_desktop_central 9.1.0
CVE-2018-9163 LOW

A stored Cross-site scripting (XSS) vulnerability in Zoho ManageEngine Recovery Manager Plus before 5.3 (Build 5350) allows remote authenticated users (with Add New Technician permissions) to inject arbitrary web script or HTML via the loginName field to technicianAction.do.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zohocorp manageengine_recovery_manager_plus *
CVE-2019-10008 MEDIUM

Zoho ManageEngine ServiceDesk 9.3 allows session hijacking and privilege escalation because an established guest session is automatically converted into an established administrator session when the guest user enters the administrator username, with an arbitrary incorrect password, in an mc/ login attempt within a different browser tab.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-384,

Products Affected

Vendor Product Version
zohocorp servicedesk_plus 9.3
CVE-2019-10273 MEDIUM

Information leakage vulnerability in the /mc login page in ManageEngine ServiceDesk Plus 9.3 software allows authenticated users to enumerate active users. Due to a flaw within the way the authentication is handled, an attacker is able to login and verify any active account.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-287,

Products Affected

Vendor Product Version
zohocorp manageengine_servicedesk_plus 9.3
CVE-2019-11361 MEDIUM

Zoho ManageEngine Remote Access Plus 10.0.258 does not validate user permissions properly, allowing for privilege escalation and eventually a full application takeover.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-863,

Products Affected

Vendor Product Version
zohocorp manageengine_remote_access_plus 10.0.258
CVE-2019-11448 HIGH

An issue was discovered in Zoho ManageEngine Applications Manager 11.0 through 14.0. An unauthenticated user can gain the authority of SYSTEM on the server due to a Popup_SLA.jsp sid SQL injection vulnerability. For example, the attacker can subsequently write arbitrary text to a .vbs file.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
zohocorp manageengine_applications_manager *
CVE-2019-11469 HIGH

Zoho ManageEngine Applications Manager 12 through 14 allows FaultTemplateOptions.jsp resourceid SQL injection. Subsequently, an unauthenticated user can gain the authority of SYSTEM on the server by uploading a malicious file via the "Execute Program Action(s)" feature.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
zohocorp manageengine_applications_manager *
CVE-2019-11511 MEDIUM

Zoho ManageEngine ADSelfService Plus before build 5708 has XSS via the mobile app API.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zohocorp manageengine_adselfservice_plus 5.7
CVE-2019-11676 MEDIUM

The user defined DNS name in Zoho ManageEngine Firewall Analyzer before 12.3 Build 123224 is vulnerable to stored XSS attacks.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zohocorp manageengine_firewall_analyzer 12.2
zohocorp manageengine_firewall_analyzer 8.3
zohocorp manageengine_firewall_analyzer 8.1
zohocorp manageengine_firewall_analyzer 12.0
zohocorp manageengine_firewall_analyzer 12.3
zohocorp manageengine_firewall_analyzer 8.0
zohocorp manageengine_firewall_analyzer 7.4
zohocorp manageengine_firewall_analyzer 8.5
zohocorp manageengine_firewall_analyzer 7.6
zohocorp manageengine_firewall_analyzer 7.2
CVE-2019-11677 HIGH

The Custom Report import function in Zoho ManageEngine Firewall Analyzer before 12.3 Build 123224 is vulnerable to XML External Entity (XXE) Injection.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-611,

Products Affected

Vendor Product Version
zohocorp manageengine_firewall_analyzer 12.2
zohocorp manageengine_firewall_analyzer 8.3
zohocorp manageengine_firewall_analyzer 8.1
zohocorp manageengine_firewall_analyzer 12.0
zohocorp manageengine_firewall_analyzer 12.3
zohocorp manageengine_firewall_analyzer 8.0
zohocorp manageengine_firewall_analyzer 7.4
zohocorp manageengine_firewall_analyzer 8.5
zohocorp manageengine_firewall_analyzer 7.6
zohocorp manageengine_firewall_analyzer 7.2
CVE-2019-11678 HIGH

The "default reports" feature in Zoho ManageEngine Firewall Analyzer before 12.3 Build 123218 is vulnerable to SQL Injection.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
zohocorp manageengine_firewall_analyzer 12.2
zohocorp manageengine_firewall_analyzer 8.3
zohocorp manageengine_firewall_analyzer 8.1
zohocorp manageengine_firewall_analyzer 12.0
zohocorp manageengine_firewall_analyzer 12.3
zohocorp manageengine_firewall_analyzer 8.0
zohocorp manageengine_firewall_analyzer 7.4
zohocorp manageengine_firewall_analyzer 8.5
zohocorp manageengine_firewall_analyzer 7.6
zohocorp manageengine_firewall_analyzer 7.2
CVE-2019-12133 HIGH

Multiple Zoho ManageEngine products suffer from local privilege escalation due to improper permissions for the %SYSTEMDRIVE%\ManageEngine directory and its sub-folders. Moreover, the services associated with said products try to execute binaries such as sc.exe from the current directory upon system start. This will effectively allow non-privileged users to escalate privileges to NT AUTHORITY\SYSTEM. This affects Desktop Central 10.0.380, EventLog Analyzer 12.0.2, ServiceDesk Plus 10.0.0, SupportCenter Plus 8.1, O365 Manager Plus 4.0, Mobile Device Manager Plus 9.0.0, Patch Connect Plus 9.0.0, Vulnerability Manager Plus 9.0.0, Patch Manager Plus 9.0.0, OpManager 12.3, NetFlow Analyzer 11.0, OpUtils 11.0, Network Configuration Manager 11.0, FireWall 12.0, Key Manager Plus 5.6, Password Manager Pro 9.9, Analytics Plus 1.0, and Browser Security Plus.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-427,CWE-732,

Products Affected

Vendor Product Version
zohocorp manageengine_key_manager_plus 5.6
zohocorp manageengine_patch_connect_plus 9.0.0
zohocorp manageengine_analytics_plus 1.0
zohocorp manageengine_netflow_analyzer 11.0
zohocorp manageengine_supportcenter_plus 8.1
zohocorp manageengine_eventlog_analyzer 12.0.2
zohocorp manageengine_network_configuration_manager 11.0
zohocorp manageengine_oputils 11.0
zohocorp manageengine_o365_manager_plus 4.0
zohocorp manageengine_password_manager_pro 9.9
zohocorp manageengine_vulnerability_manager_plus 9.0.0
zohocorp manageengine_desktop_central 10.0.380
zohocorp manageengine_opmanager 12.3
zohocorp manageengine_browser_security_plus -
zohocorp manageengine_firewall 12.0
zohocorp manageengine_patch_manager_plus 9.0.0
zohocorp manageengine_servicedesk_plus 10.0.0
zohocorp manageengine_mobile_device_manager_plus 9.0.0
CVE-2019-12189 MEDIUM

An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SearchN.do search field.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zohocorp manageengine_servicedesk_plus 9.3
CVE-2019-12196 HIGH

A SQL injection vulnerability in /client/api/json/v2/nfareports/compareReport in Zoho ManageEngine NetFlow Analyzer 12.3 allows attackers to execute arbitrary SQL commands via the DeviceID parameter.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
zohocorp manageengine_netflow_analyzer 12.3
CVE-2019-12252 MEDIUM

In Zoho ManageEngine ServiceDesk Plus through 10.5, users with the lowest privileges (guest) can view an arbitrary post by appending its number to the SDNotify.do?notifyModule=Solution&mode=E-Mail&notifyTo=SOLFORWARD&id= substring.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-639,

Products Affected

Vendor Product Version
zohocorp manageengine_servicedesk_plus *
CVE-2019-12476 HIGH

An authentication bypass vulnerability in the password reset functionality in Zoho ManageEngine ADSelfService Plus before 5.0.6 allows an attacker with physical access to gain a shell with SYSTEM privileges via the restricted thick client browser. The attack uses a long sequence of crafted keyboard input.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-640,

Products Affected

Vendor Product Version
zohocorp manageengine_adselfservice_plus *
CVE-2019-12537 MEDIUM

An issue was discovered in Zoho ManageEngine AssetExplorer. There is XSS via the SearchN.do search field.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zohocorp manageengine_assetexplorer 6.5
CVE-2019-12538 MEDIUM

An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SiteLookup.do search field.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zohocorp manageengine_servicedesk_plus 9.3
CVE-2019-12539 MEDIUM

An issue was discovered in the Purchase component of Zoho ManageEngine ServiceDesk Plus. There is XSS via the SearchN.do search field, a different vulnerability than CVE-2019-12189.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zohocorp manageengine_servicedesk_plus 10.5
CVE-2019-12540 MEDIUM

An issue was discovered in Zoho ManageEngine ServiceDesk Plus 10.5. There is XSS via the WorkOrder.do search field.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zohocorp manageengine_servicedesk_plus 10.5
CVE-2019-12541 MEDIUM

An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SolutionSearch.do searchText parameter.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zohocorp manageengine_servicedesk_plus 9.3
CVE-2019-12542 MEDIUM

An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SearchN.do userConfigID parameter.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zohocorp manageengine_servicedesk_plus 9.3
CVE-2019-12543 MEDIUM

An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the PurchaseRequest.do serviceRequestId parameter.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zohocorp manageengine_servicedesk_plus 9.3
CVE-2019-12595 MEDIUM

An issue was discovered in Zoho ManageEngine AssetExplorer. There is XSS via the RCSettings.do rdsName parameter.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zohocorp manageengine_assetexplorer 6.5
CVE-2019-12596 MEDIUM

An issue was discovered in Zoho ManageEngine AssetExplorer. There is XSS via SoftwareListView.do with the parameter swType or swComplianceType.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zohocorp manageengine_assetexplorer 6.5
CVE-2019-12597 MEDIUM

An issue was discovered in Zoho ManageEngine AssetExplorer. There is XSS via ResourcesAttachments.jsp with the parameter pageName.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zohocorp manageengine_assetexplorer 6.5
CVE-2019-12876 HIGH

Zoho ManageEngine ADManager Plus 6.6.5, ADSelfService Plus 5.7, and DesktopCentral 10.0.380 have Insecure Permissions, leading to Privilege Escalation from low level privileges to System.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-732,

Products Affected

Vendor Product Version
zohocorp manageengine_desktop_central 10.0.380
zohocorp manageengine_admanager_plus 6.6.5
zohocorp manageengine_adselfservice_plus 5.7
CVE-2019-12959 MEDIUM

Server Side Request Forgery (SSRF) exists in Zoho ManageEngine AssetExplorer 6.2.0 and before for the ClientUtilServlet servlet via a URL in a parameter.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-918,

Products Affected

Vendor Product Version
zohocorp manageengine_assetexplorer *
CVE-2019-12994 MEDIUM

Server Side Request Forgery (SSRF) exists in Zoho ManageEngine AssetExplorer version 6.2.0 for the AJaxServlet servlet via a parameter in a URL.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-918,

Products Affected

Vendor Product Version
zohocorp manageengine_assetexplorer 6.2.0
CVE-2019-14693 MEDIUM

Zoho ManageEngine AssetExplorer 6.2.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing license XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-611,

Products Affected

Vendor Product Version
zohocorp manageengine_assetexplorer 6.2.0
CVE-2019-15045 MEDIUM

AjaxDomainServlet in Zoho ManageEngine ServiceDesk Plus 10 allows User Enumeration. NOTE: the vendor's position is that this is intended functionality

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
zohocorp manageengine_servicedesk_plus *
CVE-2019-15046 MEDIUM

Zoho ManageEngine ServiceDesk Plus 10 before 10509 allows unauthenticated sensitive information leakage during Fail Over Service (FOS) replication, aka SD-79989.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-287,

Products Affected

Vendor Product Version
zohocorp manageengine_servicedesk_plus *
CVE-2019-15083 MEDIUM

Default installations of Zoho ManageEngine ServiceDesk Plus 10.0 before 10500 are vulnerable to XSS injected by a workstation local administrator. Using the installed program names of the computer as a vector, the local administrator can execute code on the Manage Engine ServiceDesk administrator side. At "Asset Home > Server > <workstation> > software" the administrator of ManageEngine can control what software is installed on the workstation. This table shows all the installed program names in the Software column. In this field, a remote attacker can inject malicious code in order to execute it when the ManageEngine administrator visualizes this page.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zohocorp manageengine_servicedesk_plus 10.0.0
CVE-2019-15104 HIGH

An issue was discovered in Zoho ManageEngine OpManager through 12.4x. There is a SQL Injection vulnerability in jsp/NewThresholdConfiguration.jsp via the resourceid parameter. Therefore, a low-authority user can gain the authority of SYSTEM on the server. One can consequently upload a malicious file using the "Execute Program Action(s)" feature.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
zohocorp manageengine_applications_manager *
CVE-2019-15105 HIGH

An issue was discovered in Zoho ManageEngine Application Manager through 14.2. There is a SQL Injection vulnerability in jsp/NewThresholdConfiguration.jsp via the resourceid parameter. Therefore, a low-authority user can gain the authority of SYSTEM on the server. One can consequently upload a malicious file using the "Execute Program Action(s)" feature.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
zohocorp manageengine_applications_manager *
CVE-2019-15106 HIGH

An issue was discovered in Zoho ManageEngine OpManager in builds before 14310. One can bypass the user password requirement and execute commands on the server. The "username+'@opm' string is used for the password. For example, if the username is admin, the password is admin@opm.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-306,

Products Affected

Vendor Product Version
zohocorp manageengine_opmanager *
CVE-2019-15510 MEDIUM

ManageEngine_DesktopCentral.exe in Zoho ManageEngine Desktop Central 10 allows HTML injection on the user administration page via the description of a role.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zohocorp manageengine_desktop_central 10.0
CVE-2019-16268 LOW

Zoho ManageEngine Remote Access Plus 10.0.259 allows HTML injection via the Description field on the Admin - User Administration userMgmt.do?actionToCall=ShowUser screen.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N 1.7 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zohocorp manageengine_remote_access_plus 10.0.259
CVE-2019-16962 LOW

Zoho ManageEngine Desktop Central 10.0.430 allows HTML injection via a modified Report Name in a New Custom Report.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zohocorp manageengine_desktop_central 10.0.430
CVE-2019-17112 MEDIUM

An issue was discovered in Zoho ManageEngine DataSecurity Plus before 5.0.1 5012. An exposed service allows a basic user ("Operator" access level) to access the configuration file of the mail server (except for the password).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 2.8 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-552,

Products Affected

Vendor Product Version
zohocorp manageengine_datasecurity_plus 4.0
zohocorp manageengine_datasecurity_plus 4.1
zohocorp manageengine_datasecurity_plus 4.2
zohocorp manageengine_datasecurity_plus 4.3
zohocorp manageengine_datasecurity_plus 5.0
CVE-2019-17421 HIGH

Incorrect file permissions on the packaged Nipper executable file in Zoho ManageEngine OpManager 12.4.072 and Firewall Analyzer 12.4.072 allow local users to elevate privileges to root by overwriting this file with a malicious payload.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-276,

Products Affected

Vendor Product Version
zohocorp manageengine_opmanager 12.4
zohocorp manageengine_firewall_analyzer 12.4
CVE-2019-17602 HIGH

An issue was discovered in Zoho ManageEngine OpManager before 12.4 build 124089. The OPMDeviceDetailsServlet servlet is prone to SQL injection. Depending on the configuration, this vulnerability could be exploited unauthenticated or authenticated.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
zohocorp manageengine_opmanager *
zohocorp manageengine_opmanager 12.4
CVE-2019-18411 MEDIUM

Zoho ManageEngine ADSelfService Plus 5.x through 5803 has CSRF on the users' profile information page. Users who are attacked with this vulnerability will be forced to modify their enrolled information, such as email and mobile phone, unintentionally. Attackers could use the reset password function and control the system to send the authentication code back to the channel that the attackers own.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
zohocorp manageengine_adselfservice_plus 5.4
zohocorp manageengine_adselfservice_plus 5.5
zohocorp manageengine_adselfservice_plus 5.1
zohocorp manageengine_adselfservice_plus 5.6
zohocorp manageengine_adselfservice_plus 5.2
zohocorp manageengine_adselfservice_plus 5.8
zohocorp manageengine_adselfservice_plus 5.7
zohocorp manageengine_adselfservice_plus 5.0
zohocorp manageengine_adselfservice_plus 5.3
CVE-2019-18781 MEDIUM

An open redirect vulnerability was discovered in Zoho ManageEngine ADSelfService Plus 5.x before 5809 that allows attackers to force users who click on a crafted link to be sent to a specified external site.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-601,

Products Affected

Vendor Product Version
zohocorp manageengine_adselfservice_plus 5.4
zohocorp manageengine_adselfservice_plus 5.5
zohocorp manageengine_adselfservice_plus 5.1
zohocorp manageengine_adselfservice_plus 5.6
zohocorp manageengine_adselfservice_plus 5.2
zohocorp manageengine_adselfservice_plus 5.8
zohocorp manageengine_adselfservice_plus 5.7
zohocorp manageengine_adselfservice_plus 5.0
zohocorp manageengine_adselfservice_plus 5.3
CVE-2019-19034 MEDIUM

Zoho ManageEngine Asset Explorer 6.5 does not validate the System Center Configuration Manager (SCCM) database username when dynamically generating a command to schedule scans for SCCM. This allows an attacker to execute arbitrary commands on the AssetExplorer Server with NT AUTHORITY/SYSTEM privileges.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-78,

Products Affected

Vendor Product Version
zohocorp manageengine_assetexplorer 6.5
CVE-2019-19475 HIGH

An issue was discovered in ManageEngine Applications Manager 14 with Build 14360. Integrated PostgreSQL which is built-in in Applications Manager is prone to attack due to lack of file permission security. The malicious users who are in “Authenticated Users” group can exploit privilege escalation and modify PostgreSQL configuration to execute arbitrary command to escalate and gain full system privilege user access and rights over the system.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-276,

Products Affected

Vendor Product Version
zohocorp manageengine_applications_manager 14.3
CVE-2019-19649 HIGH

Zoho ManageEngine Applications Manager before 13620 allows a remote unauthenticated SQL injection via the SyncEventServlet eventid parameter to the SyncEventServlet.java doGet function.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
zohocorp manageengine_applications_manager *
CVE-2019-19650 MEDIUM

Zoho ManageEngine Applications Manager before 13640 allows a remote authenticated SQL injection via the Agent servlet agentid parameter to the Agent.java process function.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-89,

Products Affected

Vendor Product Version
zohocorp manageengine_applications_manager *
CVE-2019-19774 MEDIUM

An issue was discovered in Zoho ManageEngine EventLog Analyzer 10.0 SP1 before Build 12110. By running "select hostdetails from hostdetails" at the /event/runquery.do endpoint, it is possible to bypass the security restrictions that prevent even administrative users from viewing credential data stored in the database, and recover the MD5 hashes of the accounts used to authenticate the ManageEngine platform to the managed machines on the network (most often administrative accounts). Specifically, this bypasses these restrictions: a query cannot mention password, and a query result cannot have a password column.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
zohocorp manageengine_eventlog_analyzer *
CVE-2019-19799 MEDIUM

Zoho ManageEngine Applications Manager before 14600 allows a remote unauthenticated attacker to disclose license related information via WieldFeedServlet servlet.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-306,

Products Affected

Vendor Product Version
zohocorp manageengine_applications_manager *
zohocorp manageengine_applications_manager 14.5
CVE-2019-19800 MEDIUM

Zoho ManageEngine Applications Manager 14 before 14520 allows a remote unauthenticated attacker to disclose OS file names via FailOverHelperServlet.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-306,

Products Affected

Vendor Product Version
zohocorp manageengine_applications_manager 14.0
CVE-2019-20474 MEDIUM

An issue was discovered in Zoho ManageEngine Remote Access Plus 10.0.447. The service to test the mail-server configuration suffers from an authorization issue allowing a user with the Guest role (read-only access) to use and abuse it. One of the abuses allows performing network and port scan operations of the localhost or the hosts on the same network segment, aka SSRF.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 2.8 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-918,

Products Affected

Vendor Product Version
zohocorp manageengine_remote_access_plus 10.0.447
CVE-2019-3905 HIGH

Zoho ManageEngine ADSelfService Plus 5.x before build 5703 has SSRF.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-918,

Products Affected

Vendor Product Version
zohocorp manageengine_adselfservice_plus 5.4
zohocorp manageengine_adselfservice_plus 5.5
zohocorp manageengine_adselfservice_plus 5.1
zohocorp manageengine_adselfservice_plus 5.6
zohocorp manageengine_adselfservice_plus 5.2
zohocorp manageengine_adselfservice_plus 5.7
zohocorp manageengine_adselfservice_plus 5.0
zohocorp manageengine_adselfservice_plus 5.3
CVE-2019-7161 MEDIUM

An issue was discovered in Zoho ManageEngine ADSelfService Plus 5.x through build 5704. It uses fixed ciphering keys to protect information, giving the capacity for an attacker to decipher any protected data.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-798,

Products Affected

Vendor Product Version
zohocorp manageengine_adselfservice_plus 5.4
zohocorp manageengine_adselfservice_plus 5.5
zohocorp manageengine_adselfservice_plus 5.1
zohocorp manageengine_adselfservice_plus 5.6
zohocorp manageengine_adselfservice_plus 5.2
zohocorp manageengine_adselfservice_plus 5.7
zohocorp manageengine_adselfservice_plus 5.0
zohocorp manageengine_adselfservice_plus 5.3
CVE-2019-7162 MEDIUM

An issue was discovered in Zoho ManageEngine ADSelfService Plus 5.6 Build 5607. An exposed service allows an unauthenticated person to retrieve internal information from the system and modify the product installation.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N 3.9 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
zohocorp manageengine_adselfservice_plus 5.6
CVE-2019-7422 MEDIUM

XSS exists in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 in the Administration zone "/netflow/jspui/addMailSettings.jsp" file in the gF parameter.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zohocorp manageengine_netflow_analyzer 7.0.0.2
CVE-2019-7423 MEDIUM

XSS exists in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 in the Administration zone "/netflow/jspui/editProfile.jsp" file in the userName parameter.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zohocorp manageengine_netflow_analyzer 7.0.0.2
CVE-2019-7424 MEDIUM

XSS exists in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 in the Administration zone "/netflow/jspui/index.jsp" file in the view GET parameter or any of these POST parameters: autorefTime, section, snapshot, viewOpt, viewAll, view, or groupSelName. The latter is related to CVE-2009-3903.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zohocorp manageengine_netflow_analyzer 7.0.0.2
CVE-2019-7425 MEDIUM

XSS exists in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 in the Administration zone "/netflow/jspui/linkdownalertConfig.jsp" file in the task parameter.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zohocorp manageengine_netflow_analyzer 7.0.0.2
CVE-2019-7426 MEDIUM

XSS exists in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 in the Administration zone "/netflow/jspui/linkdownalertConfig.jsp" file in the groupDesc, groupName, groupID, or task parameter.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zohocorp manageengine_netflow_analyzer 7.0.0.2
CVE-2019-7427 MEDIUM

XSS exists in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 in the Administration zone "/netflow/jspui/linkdownalertConfig.jsp" file in the autorefTime or graphTypes parameter.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zohocorp manageengine_netflow_analyzer 7.0.0.2
CVE-2019-8346 MEDIUM

In Zoho ManageEngine ADSelfService Plus 5.x through 5704, an authorization.do cross-site Scripting (XSS) vulnerability allows for an unauthenticated manipulation of the JavaScript code by injecting the HTTP form parameter adscsrf. An attacker can use this to capture a user's AD self-service password reset and MFA token.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zohocorp manageengine_adselfservice_plus 5.4
zohocorp manageengine_adselfservice_plus 5.5
zohocorp manageengine_adselfservice_plus 5.1
zohocorp manageengine_adselfservice_plus 5.6
zohocorp manageengine_adselfservice_plus 5.2
zohocorp manageengine_adselfservice_plus 5.7
zohocorp manageengine_adselfservice_plus 5.0
zohocorp manageengine_adselfservice_plus 5.3
CVE-2019-8394 MEDIUM

Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10012 allows remote attackers to upload arbitrary files via login page customization.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-434,CWE-434,

Products Affected

Vendor Product Version
zohocorp manageengine_servicedesk_plus *
zohocorp manageengine_servicedesk_plus 10.0.0
CVE-2019-8395 HIGH

An Insecure Direct Object Reference (IDOR) vulnerability exists in Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10007 via an attachment to a request.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-22,CWE-706,

Products Affected

Vendor Product Version
zohocorp manageengine_servicedesk_plus *
CVE-2019-8925 MEDIUM

An issue was discovered in Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2. An Absolute Path Traversal vulnerability in the Administration zone, in /netflow/servlet/CReportPDFServlet (via the parameter schFilePath), allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via any file name, such as a schFilePath=C:\boot.ini value.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,

Products Affected

Vendor Product Version
zohocorp manageengine_netflow_analyzer 7.0.0.2
CVE-2019-8926 MEDIUM

An issue was discovered in Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2. XSS exists in the Administration zone /netflow/jspui/popup1.jsp file via these GET parameters: bussAlert, customDev, and selSource.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zohocorp manageengine_netflow_analyzer 7.0.0.2
CVE-2019-8927 MEDIUM

An issue was discovered in Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2. XSS exists in the Administration zone /netflow/jspui/scheduleConfig.jsp file via these GET parameters: devSrc, emailId, excWeekModify, filterFlag, getFilter, mailReport, mset, popup, rep_schedule, rep_Type, schDesc, schName, schSource, selectDeviceDone, task, val10, and val11.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zohocorp manageengine_netflow_analyzer 7.0.0.2
CVE-2019-8928 MEDIUM

An issue was discovered in Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2. XSS exists in /netflow/jspui/userManagementForm.jsp via these GET parameters: authMeth, passWord, pwd1, and userName.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zohocorp manageengine_netflow_analyzer 7.0.0.2
CVE-2019-8929 MEDIUM

An issue was discovered in Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2. XSS exists in the Administration zone /netflow/jspui/selectDevice.jsp file in these GET parameters: param and rtype.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zohocorp manageengine_netflow_analyzer 7.0.0.2
CVE-2020-10189 HIGH

Zoho ManageEngine Desktop Central before 10.0.474 allows remote code execution because of deserialization of untrusted data in getChartImage in the FileStorage class. This is related to the CewolfServlet and MDMLogUploaderServlet servlets.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-502,CWE-502,

Products Affected

Vendor Product Version
zohocorp manageengine_desktop_central *
CVE-2020-10541 HIGH

Zoho ManageEngine OpManager before 12.4.179 allows remote code execution via a specially crafted Mail Server Settings v1 API request. This was fixed in 12.5.108.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
zohocorp manageengine_opmanager *
CVE-2020-10816 MEDIUM

Zoho ManageEngine Applications Manager 14780 and before allows a remote unauthenticated attacker to register managed servers via AAMRequestProcessor servlet.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-287,

Products Affected

Vendor Product Version
zohocorp manageengine_applications_manager 14.7
CVE-2020-10859 MEDIUM

Zoho ManageEngine Desktop Central before 10.0.484 allows authenticated arbitrary file writes during ZIP archive extraction via Directory Traversal in a crafted AppDependency API request.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,

Products Affected

Vendor Product Version
zohocorp manageengine_desktop_central *
CVE-2020-11518 HIGH

Zoho ManageEngine ADSelfService Plus before 5815 allows unauthenticated remote code execution.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
zohocorp manageengine_adselfservice_plus 5.8
zohocorp manageengine_adselfservice_plus *
CVE-2020-11527 MEDIUM

In Zoho ManageEngine OpManager before 12.4.181, an unauthenticated remote attacker can send a specially crafted URI to read arbitrary files.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
zohocorp manageengine_opmanager *
zohocorp manageengine_opmanager 12.4
CVE-2020-11531 MEDIUM

The DataEngine Xnode Server application in Zoho ManageEngine DataSecurity Plus prior to 6.0.1 does not validate the database schema name when handling a DR-SCHEMA-SYNC request. This allows an authenticated attacker to execute code in the context of the product by writing a JSP file to the webroot directory via directory traversal.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,

Products Affected

Vendor Product Version
zohocorp manageengine_adaudit_plus *
zohocorp manageengine_datasecurity_plus *
CVE-2020-11532 HIGH

Zoho ManageEngine DataSecurity Plus prior to 6.0.1 uses default admin credentials to communicate with a DataEngine Xnode server. This allows an attacker to bypass authentication for this server and execute all operations in the context of admin user.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-1188,

Products Affected

Vendor Product Version
zohocorp manageengine_adaudit_plus *
zohocorp manageengine_datasecurity_plus *
CVE-2020-11552 HIGH

An elevation of privilege vulnerability exists in ManageEngine ADSelfService Plus before build 6003 because it does not properly enforce user privileges associated with a Certificate dialog. This vulnerability could allow an unauthenticated attacker to escalate privileges on a Windows host. An attacker does not require any privilege on the target system in order to exploit this vulnerability. One option is the self-service option on the Windows login screen. Upon selecting this option, the thick-client software is launched, which connects to a remote ADSelfService Plus server to facilitate self-service operations. An unauthenticated attacker having physical access to the host could trigger a security alert by supplying a self-signed SSL certificate to the client. The View Certificate option from the security alert allows an attacker to export a displayed certificate to a file. This can further cascade to a dialog that can open Explorer as SYSTEM. By navigating from Explorer to \windows\system32, cmd.exe can be launched as a SYSTEM.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-269,

Products Affected

Vendor Product Version
zohocorp manageengine_adselfservice_plus 6.0
zohocorp manageengine_adselfservice_plus *
CVE-2020-11946 MEDIUM

Zoho ManageEngine OpManager before 125120 allows an unauthenticated user to retrieve an API key via a servlet call.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-306,

Products Affected

Vendor Product Version
zohocorp manageengine_opmanager 12.5
CVE-2020-12116 MEDIUM

Zoho ManageEngine OpManager Stable build before 124196 and Released build before 125125 allows an unauthenticated attacker to read arbitrary files on the server by sending a crafted request.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,

Products Affected

Vendor Product Version
zohocorp manageengine_opmanager *
zohocorp manageengine_opmanager 12.4
zohocorp manageengine_opmanager 12.5
CVE-2020-13154 MEDIUM

Zoho ManageEngine Service Plus before 11.1 build 11112 allows low-privilege authenticated users to discover the File Protection password via a getFileProtectionSettings call to AjaxServlet.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-862,

Products Affected

Vendor Product Version
zohocorp manageengine_servicedesk_plus 11.1
CVE-2020-13818 MEDIUM

In Zoho ManageEngine OpManager before 125144, when <cachestart> is used, directory traversal validation can be bypassed.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,

Products Affected

Vendor Product Version
zohocorp manageengine_opmanager *
zohocorp manageengine_opmanager 12.5
CVE-2020-14008 MEDIUM

Zoho ManageEngine Applications Manager 14710 and before allows an authenticated admin user to upload a vulnerable jar in a specific location, which leads to remote code execution.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-434,

Products Affected

Vendor Product Version
zohocorp manageengine_applications_manager 14.0
zohocorp manageengine_applications_manager *
CVE-2020-14048 MEDIUM

Zoho ManageEngine ServiceDesk Plus before 11.1 build 11115 allows remote unauthenticated attackers to change the installation status of deployed agents.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-306,

Products Affected

Vendor Product Version
zohocorp manageengine_servicedesk_plus 10.5
zohocorp manageengine_servicedesk_plus 8.2
zohocorp manageengine_servicedesk_plus 9.0
zohocorp manageengine_servicedesk_plus 11.0
zohocorp manageengine_servicedesk_plus 9.3
zohocorp manageengine_servicedesk_plus 10.0.0
zohocorp manageengine_servicedesk_plus 9.4
zohocorp manageengine_servicedesk_plus 11.1
zohocorp manageengine_servicedesk_plus 9.2
zohocorp manageengine_servicedesk_plus 9.1
CVE-2020-15394 HIGH

The REST API in Zoho ManageEngine Applications Manager before build 14740 allows an unauthenticated SQL Injection via a crafted request, leading to Remote Code Execution.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
zohocorp manageengine_applications_manager 14.0
zohocorp manageengine_applications_manager *
CVE-2020-15521 MEDIUM

Zoho ManageEngine Applications Manager before 14 build 14730 has no protection against jsp/header.jsp Cross-site Scripting (XSS) .

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zohocorp manageengine_applications_manager 14.0
zohocorp manageengine_applications_manager *
CVE-2020-15533 HIGH

In Zoho ManageEngine Application Manager 14.7 Build 14730 (before 14684, and between 14689 and 14750), the AlarmEscalation module is vulnerable to unauthenticated SQL Injection attack.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
zohocorp manageengine_applications_manager *
zohocorp manageengine_applications_manager 14.7
zohocorp manageengine_applications_manager 14.6
CVE-2020-15588 HIGH

An issue was discovered in the client side of Zoho ManageEngine Desktop Central 10.0.552.W. An attacker-controlled server can trigger an integer overflow in InternetSendRequestEx and InternetSendRequestByBitrate that leads to a heap-based buffer overflow and Remote Code Execution with SYSTEM privileges. This issue will occur only when untrusted communication is initiated with server. In cloud, Agent will always connect with trusted communication.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-190,CWE-787,

Products Affected

Vendor Product Version
zohocorp manageengine_desktop_central *
CVE-2020-15589 MEDIUM

A design issue was discovered in GetInternetRequestHandle, InternetSendRequestEx and InternetSendRequestByBitrate in the client side of Zoho ManageEngine Desktop Central 10.0.552.W and Remote Access Plus before 10.1.2119.1. By exploiting this issue, an attacker-controlled server can force the client to skip TLS certificate validation, leading to a man-in-the-middle attack against HTTPS and unauthenticated remote code execution.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
zohocorp manageengine_remote_access_plus *
zohocorp manageengine_desktop_central 10.0.552.w
CVE-2020-15594 MEDIUM

An SSRF issue was discovered in Zoho Application Control Plus before version 10.0.511. The mail gateway configuration feature allows an attacker to perform a scan in order to discover open ports on a machine as well as available machines on the network segment on which the instance of the product is deployed.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 2.8 1.4
cve@mitre.org 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 2.8 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-918,

Products Affected

Vendor Product Version
zohocorp application_control_plus *
zohocorp manageengine_application_control_plus *
CVE-2020-15595 MEDIUM

An issue was discovered in Zoho Application Control Plus before version 10.0.511. The Element Configuration feature (to configure elements included in the scope of elements managed by the product) allows an attacker to retrieve the entire list of the IP ranges and subnets configured in the product and consequently obtain information about the cartography of the internal networks to which the product has access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve@mitre.org 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 2.8 1.4
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 2.8 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
zohocorp application_control_plus *
zohocorp manageengine_application_control_plus *
CVE-2020-15927 MEDIUM

Zoho ManageEngine Applications Manager version 14740 and prior allows an authenticated SQL Injection via a crafted jsp request in the SAP module.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-89,

Products Affected

Vendor Product Version
zohocorp manageengine_applications_manager 14.7
CVE-2020-16267 MEDIUM

Zoho ManageEngine Applications Manager version 14740 and prior allows an authenticated SQL Injection via a crafted jsp request in the RCA module.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-89,

Products Affected

Vendor Product Version
zohocorp manageengine_applications_manager 14.7
CVE-2020-21641

Out-of-Band XML External Entity (OOB-XXE) vulnerability in Zoho ManageEngine Analytics Plus before 4.3.5 allows remote attackers to read arbitrary files, enumerate folders and scan internal ports via crafted XML license file.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

Products Affected

Vendor Product Version
zohocorp manageengine_analytics_plus *
CVE-2020-21642

Directory Traversal vulnerability ZDBQAREFSUBDIR parameter in /zropusermgmt API in Zoho ManageEngine Analytics Plus before 4350 allows remote attackers to run arbitrary code.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
zohocorp manageengine_analytics_plus 3.5
zohocorp manageengine_analytics_plus 4.1
zohocorp manageengine_analytics_plus 4.2
zohocorp manageengine_analytics_plus 3.2
zohocorp manageengine_analytics_plus 3.3
zohocorp manageengine_analytics_plus 3.8
zohocorp manageengine_analytics_plus 3.6
zohocorp manageengine_analytics_plus 3.1
zohocorp manageengine_analytics_plus 3.0
zohocorp manageengine_analytics_plus 3.7
zohocorp manageengine_analytics_plus 3.4
zohocorp manageengine_analytics_plus 2.9
zohocorp manageengine_analytics_plus 3.9
zohocorp manageengine_analytics_plus 4.0
zohocorp manageengine_analytics_plus 4.3
CVE-2020-24397 HIGH

An issue was discovered in the client side of Zoho ManageEngine Desktop Central 10.0.0.SP-534. An attacker-controlled server can trigger an integer overflow in InternetSendRequestEx and InternetSendRequestByBitrate that leads to a heap-based buffer overflow and Remote Code Execution with SYSTEM privileges.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-190,CWE-787,

Products Affected

Vendor Product Version
zohocorp manageengine_desktop_central 10.0.0
CVE-2020-24743 HIGH

An issue was found in /showReports.do Zoho ManageEngine Applications Manager up to 14550, allows attackers to gain escalated privileges via the resourceid parameter.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
zohocorp manageengine_applications_manager *
zohocorp manageengine_applications_manager 14.5
CVE-2020-24786 HIGH

An issue was discovered in Zoho ManageEngine Exchange Reporter Plus before build number 5510, AD360 before build number 4228, ADSelfService Plus before build number 5817, DataSecurity Plus before build number 6033, RecoverManager Plus before build number 6017, EventLog Analyzer before build number 12136, ADAudit Plus before build number 6052, O365 Manager Plus before build number 4334, Cloud Security Plus before build number 4110, ADManager Plus before build number 7055, and Log360 before build number 5166. The remotely accessible Java servlet com.manageengine.ads.fw.servlet.UpdateProductDetails is prone to an authentication bypass. System integration properties can be modified and lead to full ManageEngine suite compromise.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-287,

Products Affected

Vendor Product Version
zohocorp manageengine_o365_manager_plus *
zohocorp manageengine_admanager_plus 7.0
zohocorp manageengine_admanager_plus *
zohocorp manageengine_recovermanager_plus *
zohocorp manageengine_adaudit_plus *
zohocorp manageengine_adselfservice_plus 5.8
zohocorp manageengine_cloud_security_plus *
zohocorp manageengine_exchange_reporter_plus 5.5
zohocorp manageengine_adaudit_plus 6.0
zohocorp manageengine_o365_manager_plus 4.3
zohocorp manageengine_eventlog_analyzer 12.1.3
zohocorp manageengine_cloud_security_plus 4.1
zohocorp manageengine_ad360 4.2
zohocorp manageengine_log360 *
zohocorp manageengine_ad360 *
zohocorp manageengine_datasecurity_plus *
zohocorp manageengine_exchange_reporter_plus *
zohocorp manageengine_datasecurity_plus 6.0
zohocorp manageengine_recovermanager_plus 6.0
zohocorp manageengine_eventlog_analyzer *
zohocorp manageengine_adselfservice_plus *
zohocorp manageengine_log360 5.1
CVE-2020-27449

Cross Site Scripting (XSS) vulnerability in Query Report feature in Zoho ManageEngine Password Manager Pro version 11001, allows remote attackers to execute arbitrary code and steal cookies via crafted JavaScript payload.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

Products Affected

Vendor Product Version
zohocorp manageengine_password_manager_pro 11.1
CVE-2020-27733 MEDIUM

Zoho ManageEngine Applications Manager before 14 build 14880 allows an authenticated SQL Injection via a crafted Alarmview request.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-89,

Products Affected

Vendor Product Version
zohocorp manageengine_applications_manager 14.0
CVE-2020-27995 HIGH

SQL Injection in Zoho ManageEngine Applications Manager 14 before 14560 allows an attacker to execute commands on the server via the MyPage.do template_resid parameter.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
zohocorp manageengine_applications_manager 14.0
CVE-2020-28050 MEDIUM

Zoho ManageEngine Desktop Central before build 10.0.647 allows a single authentication secret from multiple agents to communicate with the server.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N 3.9 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-287,

Products Affected

Vendor Product Version
zohocorp manageengine_desktop_central *
CVE-2020-28653 HIGH

Zoho ManageEngine OpManager Stable build before 125203 (and Released build before 125233) allows Remote Code Execution via the Smart Update Manager (SUM) servlet.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
zohocorp manageengine_opmanager *
zohocorp manageengine_opmanager 12.5
CVE-2020-28679 MEDIUM

A vulnerability in the showReports module of Zoho ManageEngine Applications Manager before build 14550 allows authenticated attackers to execute a SQL injection via a crafted request.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-89,

Products Affected

Vendor Product Version
zohocorp manageengine_applications_manager 12.0
zohocorp manageengine_applications_manager 13.5
zohocorp manageengine_applications_manager 14.3
zohocorp manageengine_applications_manager 12.6
zohocorp manageengine_applications_manager 14.0
zohocorp manageengine_applications_manager 11.7
zohocorp manageengine_applications_manager 11.8
zohocorp manageengine_applications_manager 11.9
zohocorp manageengine_applications_manager 14.4
zohocorp manageengine_applications_manager 12.5
zohocorp manageengine_applications_manager 14.2
zohocorp manageengine_applications_manager 12.1
zohocorp manageengine_applications_manager 11.4
zohocorp manageengine_applications_manager 11.0
zohocorp manageengine_applications_manager 12.7
zohocorp manageengine_applications_manager 11.6
zohocorp manageengine_applications_manager 13.3
zohocorp manageengine_applications_manager 11.3
zohocorp manageengine_applications_manager 13.7
zohocorp manageengine_applications_manager 12.8
zohocorp manageengine_applications_manager 13.8
zohocorp manageengine_applications_manager 12.9
zohocorp manageengine_applications_manager 11.1
zohocorp manageengine_applications_manager 13.6
zohocorp manageengine_applications_manager 11.2
zohocorp manageengine_applications_manager 11.5
zohocorp manageengine_applications_manager 13.1
zohocorp manageengine_applications_manager 13.9
zohocorp manageengine_applications_manager 12.2
zohocorp manageengine_applications_manager 13.4
zohocorp manageengine_applications_manager 12.3
zohocorp manageengine_applications_manager 13.0
zohocorp manageengine_applications_manager 14.5
zohocorp manageengine_applications_manager 13.2
zohocorp manageengine_applications_manager 14.1
CVE-2020-29658 HIGH

Zoho ManageEngine Application Control Plus before 100523 has an insecure SSL configuration setting for Nginx, leading to Privilege Escalation.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
zohocorp manageengine_applications_control_plus *
CVE-2020-35594 MEDIUM

Zoho ManageEngine ADManager Plus before 7066 allows XSS.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zohocorp manageengine_admanager_plus 7.0
zohocorp manageengine_admanager_plus *
CVE-2020-35682 MEDIUM

Zoho ManageEngine ServiceDesk Plus before 11134 allows an Authentication Bypass (only during SAML login).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-863,

Products Affected

Vendor Product Version
zohocorp manageengine_servicedesk_plus *
zohocorp manageengine_servicedesk_plus 11.1
CVE-2020-35765 MEDIUM

doFilter in com.adventnet.appmanager.filter.UriCollector in Zoho ManageEngine Applications Manager through 14930 allows an authenticated SQL Injection via the resourceid parameter to showresource.do.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-89,

Products Affected

Vendor Product Version
zohocorp manageengine_applications_manager 14.9
zohocorp manageengine_applications_manager *
CVE-2020-6843 LOW

Zoho ManageEngine ServiceDesk Plus 11.0 Build 11007 allows XSS. This issue was fixed in version 11.0 Build 11010, SD-83959.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N 1.7 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zohocorp manageengine_servicedesk_plus *
CVE-2020-8422 MEDIUM

An authorization issue was discovered in the Credential Manager feature in Zoho ManageEngine Remote Access Plus before 10.0.450. A user with the Guest role can extract the collection of all defined credentials of remote machines: the credential name, credential type, user name, domain/workgroup name, and description (but not the password).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 2.8 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
zohocorp manageengine_remote_access_plus *
CVE-2020-8509 MEDIUM

Zoho ManageEngine Desktop Central before 10.0.483 allows unauthenticated users to access PDFGenerationServlet, leading to sensitive information disclosure.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-306,

Products Affected

Vendor Product Version
zohocorp manageengine_desktop_central *
CVE-2020-8540 HIGH

An XML external entity (XXE) vulnerability in Zoho ManageEngine Desktop Central before the 07-Mar-2020 update allows remote unauthenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-611,CWE-918,

Products Affected

Vendor Product Version
zohocorp manageengine_desktop_central *
CVE-2020-8838 MEDIUM

An issue was discovered in Zoho ManageEngine AssetExplorer 6.5. During an upgrade of the Windows agent, it does not validate the source and binary downloaded. This allows an attacker on an adjacent network to execute code with NT AUTHORITY/SYSTEM privileges on the agent machines by providing an arbitrary executable via a man-in-the-middle attack.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.4 MEDIUM CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H 0.5 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-354,

Products Affected

Vendor Product Version
zohocorp manageengine_assetexplorer 6.5
CVE-2020-9346 MEDIUM

Zoho ManageEngine Password Manager Pro 10.4 and prior has no protection against Cross-site Request Forgery (CSRF) attacks, as demonstrated by changing a user's role.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
zohocorp manageengine_password_manager_pro *
zohocorp manageengine_password_manager_pro 10.4
CVE-2020-9347 HIGH

Zoho ManageEngine Password Manager Pro through 10.x has a CSV Excel Macro Injection vulnerability via a crafted name that is mishandled by the Export Passwords feature. NOTE: the vendor disputes the significance of this report because they expect CSV risk mitigation to be provided by an external application, and do not plan to add CSV constraints to their own products

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-1236,

Products Affected

Vendor Product Version
zohocorp manageengine_password_manager_pro 10.2
zohocorp manageengine_password_manager_pro 10.1
zohocorp manageengine_password_manager_pro 10.3
zohocorp manageengine_password_manager_pro 10.0
zohocorp manageengine_password_manager_pro 10.4
CVE-2020-9367 MEDIUM

The MPS Agent in Zoho ManageEngine Desktop Central MSP build MSP build 10.0.486 is vulnerable to DLL Hijacking: dcinventory.exe and dcconfig.exe try to load CSUNSAPI.dll without supplying the complete path. The issue is aggravated because this DLL is missing from the installation, thus making it possible to hijack the DLL and subsequently inject code, leading to an escalation of privilege to NT AUTHORITY\SYSTEM.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-427,

Products Affected

Vendor Product Version
zohocorp manageengine_desktop_central 10.0.486
CVE-2021-20078 HIGH

Manage Engine OpManager builds below 125346 are vulnerable to a remote denial of service vulnerability due to a path traversal issue in spark gateway component. This allows a remote attacker to remotely delete any directory or directories on the OS.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H 3.9 5.2

CVSS 2.0

Severity: HIGH

Problem Type: CWE-22,

Products Affected

Vendor Product Version
zohocorp manageengine_opmanager *
zohocorp manageengine_opmanager 12.5
CVE-2021-20080 MEDIUM

Insufficient output sanitization in ManageEngine ServiceDesk Plus before version 11200 and ManageEngine AssetExplorer before version 6800 allows a remote, unauthenticated attacker to conduct persistent cross-site scripting (XSS) attacks by uploading a crafted XML asset file.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zohocorp manageengine_servicedesk_plus 8.2
zohocorp manageengine_servicedesk_plus 9.0
zohocorp manageengine_servicedesk_plus 9.4
zohocorp manageengine_servicedesk_plus 11.1
zohocorp manageengine_servicedesk_plus 10.5
zohocorp manageengine_servicedesk_plus 11.0
zohocorp manageengine_servicedesk_plus 9.3
zohocorp manageengine_servicedesk_plus 10.0.0
zohocorp manageengine_servicedesk_plus 10.0
zohocorp manageengine_servicedesk_plus 8.1
zohocorp manageengine_servicedesk_plus 9.2
zohocorp manageengine_servicedesk_plus 9.1
CVE-2021-20081 HIGH

Incomplete List of Disallowed Inputs in ManageEngine ServiceDesk Plus before version 11205 allows a remote, authenticated attacker to execute arbitrary commands with SYSTEM privileges.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
zohocorp manageengine_servicedesk_plus *
zohocorp manageengine_servicedesk_plus 11.2
CVE-2021-20108 MEDIUM

Manage Engine Asset Explorer Agent 1.0.34 listens on port 9000 for incoming commands over HTTPS from Manage Engine Server. The HTTPS certificates are not verified which allows any arbitrary user on the network to send commands over port 9000. While these commands may not be executed (due to authtoken validation), the Asset Explorer agent will reach out to the manage engine server for an HTTP request. During this process, AEAgent.cpp allocates 0x66 bytes using "malloc". This memory is never free-ed in the program, causing a memory leak. Additionally, the instruction sent to aeagent (ie: NEWSCAN, DELTASCAN, etc) is converted to a unicode string, but is never freed. These memory leaks allow a remote attacker to exploit a Denial of Service scenario through repetitively sending these commands to an agent and eventually crashing it the agent due to an out-of-memory condition.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-401,

Products Affected

Vendor Product Version
zohocorp manageengine_assetexplorer 1.0.34
CVE-2021-20109 MEDIUM

Due to the Asset Explorer agent not validating HTTPS certificates, an attacker on the network can statically configure their IP address to match the Asset Explorer's Server IP address. This will allow an attacker to send a NEWSCAN request to a listening agent on the network as well as receive the agent's HTTP request verifying its authtoken. In AEAgent.cpp, the agent responding back over HTTP is vulnerable to a Heap Overflow if the POST payload response is too large. The POST payload response is converted to Unicode using vswprintf. This is written to a buffer only 0x2000 bytes big. If POST payload is larger, then heap overflow will occur.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-787,

Products Affected

Vendor Product Version
zohocorp manageengine_assetexplorer 1.0.34
CVE-2021-20110 HIGH

Due to Manage Engine Asset Explorer Agent 1.0.34 not validating HTTPS certificates, an attacker on the network can statically configure their IP address to match the Asset Explorer's Server IP address. This will allow an attacker to send a NEWSCAN request to a listening agent on the network as well as receive the agent's HTTP request verifying its authtoken. In httphandler.cpp, the agent reaching out over HTTP is vulnerable to an Integer Overflow, which can be turned into a Heap Overflow allowing for remote code execution as NT AUTHORITY/SYSTEM on the agent machine. The Integer Overflow occurs when receiving POST response from the Manage Engine server, and the agent calling "HttpQueryInfoW" in order to get the "Content-Length" size from the incoming POST request. This size is taken, but multiplied to a larger amount. If an attacker specifies a Content-Length size of 1073741823 or larger, this integer arithmetic will wrap the value back around to smaller integer, then calls "calloc" with this size to allocate memory. The following API "InternetReadFile" will copy the POST data into this buffer, which will be too small for the contents, and cause heap overflow.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-190,

Products Affected

Vendor Product Version
zohocorp manageengine_assetexplorer 1.0.34
CVE-2021-20130 MEDIUM

ManageEngine ADManager Plus Build 7111 contains a post-authentication remote code execution vulnerability due to improperly validated file uploads in the PasswordExpiry interface.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-434,

Products Affected

Vendor Product Version
zohocorp manageengine_admanager_plus *
zohocorp manageengine_admanager_plus 7.1
CVE-2021-20131 MEDIUM

ManageEngine ADManager Plus Build 7111 contains a post-authentication remote code execution vulnerability due to improperly validated file uploads in the Personalization interface.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-434,

Products Affected

Vendor Product Version
zohocorp manageengine_admanager_plus *
zohocorp manageengine_admanager_plus 7.1
CVE-2021-20136 HIGH

ManageEngine Log360 Builds < 5235 are affected by an improper access control vulnerability allowing database configuration overwrite. An unauthenticated remote attacker can send a specially crafted message to Log360 to change its backend database to an attacker-controlled database and to force Log360 to restart. An attacker can leverage this vulnerability to achieve remote code execution by replacing files executed by Log360 on startup.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-306,

Products Affected

Vendor Product Version
zohocorp manageengine_log360 *
zohocorp manageengine_log360 5.3
CVE-2021-20147 MEDIUM

ManageEngine ADSelfService Plus below build 6116 contains an observable response discrepancy in the UMCP operation of the ChangePasswordAPI. This allows an unauthenticated remote attacker to determine whether a Windows domain user exists.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-203,

Products Affected

Vendor Product Version
zohocorp manageengine_adselfservice_plus 6.1
zohocorp manageengine_adselfservice_plus *
CVE-2021-20148 LOW

ManageEngine ADSelfService Plus below build 6116 stores the password policy file for each domain under the html/ web root with a predictable filename based on the domain name. When ADSSP is configured with multiple Windows domains, a user from one domain can obtain the password policy for another domain by authenticating to the service and then sending a request specifying the password policy file of the other domain.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 2.8 1.4

CVSS 2.0

Severity: LOW

Problem Type: CWE-552,

Products Affected

Vendor Product Version
zohocorp manageengine_adselfservice_plus 6.1
zohocorp manageengine_adselfservice_plus *
CVE-2021-27214 MEDIUM

A Server-side request forgery (SSRF) vulnerability in the ProductConfig servlet in Zoho ManageEngine ADSelfService Plus through 6013 allows a remote unauthenticated attacker to perform blind HTTP requests or perform a Cross-site scripting (XSS) attack against the administrative interface via an HTTP request, a different vulnerability than CVE-2019-3905.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,CWE-918,

Products Affected

Vendor Product Version
zohocorp manageengine_adselfservice_plus 6.0
CVE-2021-27956 MEDIUM

Zoho ManageEngine ADSelfService Plus before 6104 allows stored XSS on the /webclient/index.html#/directory-search user search page via the e-mail address field.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zohocorp manageengine_adselfservice_plus 6.1
zohocorp manageengine_adselfservice_plus *
CVE-2021-28382 LOW

Zoho ManageEngine Key Manager Plus before 6001 allows Stored XSS on the user-management page while importing malicious user details from AD.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zohocorp manageengine_key_manager_plus 6.0
zohocorp manageengine_key_manager_plus *
CVE-2021-28958 HIGH

Zoho ManageEngine ADSelfService Plus through 6101 is vulnerable to unauthenticated Remote Code Execution while changing the password.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-78,

Products Affected

Vendor Product Version
zohocorp manageengine_adselfservice_plus 5.5
zohocorp manageengine_adselfservice_plus 6.1
zohocorp manageengine_adselfservice_plus 5.1
zohocorp manageengine_adselfservice_plus 5.8
zohocorp manageengine_adselfservice_plus 5.0.6
zohocorp manageengine_adselfservice_plus 5.3
zohocorp manageengine_adselfservice_plus 5.4
zohocorp manageengine_adselfservice_plus 4.5
zohocorp manageengine_adselfservice_plus 5.6
zohocorp manageengine_adselfservice_plus 5.2
zohocorp manageengine_adselfservice_plus 5.7
zohocorp manageengine_adselfservice_plus 5.0
zohocorp manageengine_adselfservice_plus 6.0
CVE-2021-28959 HIGH

Zoho ManageEngine Eventlog Analyzer through 12147 is vulnerable to unauthenticated directory traversal via an entry in a ZIP archive. This leads to remote code execution.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-22,

Products Affected

Vendor Product Version
zohocorp manageengine_eventlog_analyzer 12.1.4
zohocorp manageengine_eventlog_analyzer *
CVE-2021-31159 MEDIUM

Zoho ManageEngine ServiceDesk Plus MSP before 10519 is vulnerable to a User Enumeration bug due to improper error-message generation in the Forgot Password functionality, aka SDPMSP-15732.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-209,

Products Affected

Vendor Product Version
zohocorp manageengine_servicedesk_plus_msp *
zohocorp manageengine_servicedesk_plus_msp 10.5
CVE-2021-31160 MEDIUM

Zoho ManageEngine ServiceDesk Plus MSP before 10521 allows an attacker to access internal data.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
zohocorp manageengine_servicedesk_plus 10.5
zohocorp manageengine_servicedesk_plus_msp *
zohocorp manageengine_servicedesk_plus_msp 10.5
CVE-2021-31530 MEDIUM

Zoho ManageEngine ServiceDesk Plus MSP before 10522 is vulnerable to Information Disclosure.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
zohocorp manageengine_servicedesk_plus_msp *
zohocorp manageengine_servicedesk_plus_msp 10.5
CVE-2021-31531 HIGH

Zoho ManageEngine ServiceDesk Plus MSP before 10521 is vulnerable to Server-Side Request Forgery (SSRF).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-918,

Products Affected

Vendor Product Version
zohocorp manageengine_servicedesk_plus_msp *
zohocorp manageengine_servicedesk_plus_msp 10.5
CVE-2021-31813 LOW

Zoho ManageEngine Applications Manager before 15130 is vulnerable to Stored XSS while importing malicious user details (e.g., a crafted user name) from AD.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zohocorp manageengine_applications_manager 15.1
zohocorp manageengine_applications_manager *
CVE-2021-31857 MEDIUM

In Zoho ManageEngine Password Manager Pro before 11.1 build 11104, attackers are able to retrieve credentials via a browser extension for non-website resource types.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N 2.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
zohocorp manageengine_password_manager_pro *
zohocorp manageengine_password_manager_pro 11.1
CVE-2021-31874 MEDIUM

Zoho ManageEngine ADSelfService Plus before 6104, in rare situations, allows attackers to obtain sensitive information about the password-sync database application.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N 2.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
zohocorp manageengine_adselfservice_plus 6.1
zohocorp manageengine_adselfservice_plus *
CVE-2021-3287 HIGH

Zoho ManageEngine OpManager before 12.5.329 allows unauthenticated Remote Code Execution due to a general bypass in the deserialization class.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-502,

Products Affected

Vendor Product Version
zohocorp manageengine_opmanager *
zohocorp manageengine_opmanager 12.5
CVE-2021-33055 HIGH

Zoho ManageEngine ADSelfService Plus through 6102 allows unauthenticated remote code execution in non-English editions.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-78,

Products Affected

Vendor Product Version
zohocorp manageengine_adselfservice_plus 6.1
zohocorp manageengine_adselfservice_plus *
CVE-2021-33256 HIGH

A CSV injection vulnerability on the login panel of ManageEngine ADSelfService Plus Version: 6.1 Build No: 6101 can be exploited by an unauthenticated user. The j_username parameter seems to be vulnerable and a reverse shell could be obtained if a privileged user exports "User Attempts Audit Report" as CSV file. Note: The vendor disputes this vulnerability, claiming "This is not a valid vulnerability in our ADSSP product. We don't see this as a security issue at our side.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-1236,

Products Affected

Vendor Product Version
zohocorp manageengine_adselfservice_plus 6.1
CVE-2021-33617 MEDIUM

Zoho ManageEngine Password Manager Pro before 11.2 11200 allows login/AjaxResponse.jsp?RequestType=GetUserDomainName&userName= username enumeration, because the response (to a failed login request) is null only when the username is invalid.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
zohocorp manageengine_password_manager_pro 11.2
zohocorp manageengine_password_manager_pro *
CVE-2021-33849 LOW

A Cross-Site Scripting (XSS) attack can cause arbitrary code (JavaScript) to run in a user’s browser while the browser is connected to a trusted website. The attack targets your application's users and not the application itself while using your application as the attack's vehicle. The XSS payload executes whenever the user changes the form values or deletes a created form in Zoho CRM Lead Magnet Version 1.7.2.4.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zohocorp zoho_crm_lead_magnet 1.7.2.4
CVE-2021-33911 HIGH

Zoho ManageEngine ADManager Plus before 7110 allows remote code execution.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
zohocorp manageengine_admanager_plus *
zohocorp manageengine_admanager_plus 7.1
CVE-2021-35512 MEDIUM

An SSRF issue was discovered in Zoho ManageEngine Applications Manager build 15200.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N 3.9 2.5

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-918,

Products Affected

Vendor Product Version
zohocorp manageengine_applications_manager 15.2
CVE-2021-36771 MEDIUM

Zoho ManageEngine ADManager Plus before 7110 allows reflected XSS.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zohocorp manageengine_admanager_plus *
zohocorp manageengine_admanager_plus 7.1
CVE-2021-36772 MEDIUM

Zoho ManageEngine ADManager Plus before 7110 allows stored XSS.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zohocorp manageengine_admanager_plus *
zohocorp manageengine_admanager_plus 7.1
CVE-2021-37414 MEDIUM

Zoho ManageEngine DesktopCentral before 10.0.709 allows anyone to get a valid user's APIKEY without authentication.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-287,

Products Affected

Vendor Product Version
zohocorp manageengine_desktop_central *
CVE-2021-37415 HIGH

Zoho ManageEngine ServiceDesk Plus before 11302 is vulnerable to authentication bypass that allows a few REST-API URLs without authentication.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-306,CWE-306,

Products Affected

Vendor Product Version
zohocorp manageengine_servicedesk_plus 11.2
zohocorp manageengine_servicedesk_plus 11.0
zohocorp manageengine_servicedesk_plus 11.1
zohocorp manageengine_servicedesk_plus 11.3
CVE-2021-37416 MEDIUM

Zoho ManageEngine ADSelfService Plus version 6103 and prior is vulnerable to reflected XSS on the loadframe page.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zohocorp manageengine_adselfservice_plus 6.1
zohocorp manageengine_adselfservice_plus *
CVE-2021-37417 MEDIUM

Zoho ManageEngine ADSelfService Plus version 6103 and prior allows CAPTCHA bypass due to improper parameter validation.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-287,

Products Affected

Vendor Product Version
zohocorp manageengine_adselfservice_plus 6.1
zohocorp manageengine_adselfservice_plus *
CVE-2021-37419 MEDIUM

Zoho ManageEngine ADSelfService Plus before 6112 is vulnerable to SSRF.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-918,

Products Affected

Vendor Product Version
zohocorp manageengine_admanager_plus *
zohocorp manageengine_admanager_plus 6.1
CVE-2021-37420 MEDIUM

Zoho ManageEngine ADSelfService Plus before 6112 is vulnerable to mail spoofing.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-306,

Products Affected

Vendor Product Version
zohocorp manageengine_admanager_plus *
zohocorp manageengine_admanager_plus 6.1
CVE-2021-37421 HIGH

Zoho ManageEngine ADSelfService Plus 6103 and prior is vulnerable to admin portal access-restriction bypass.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-345,

Products Affected

Vendor Product Version
zohocorp manageengine_adselfservice_plus 6.1
zohocorp manageengine_adselfservice_plus *
CVE-2021-37422 HIGH

Zoho ManageEngine ADSelfService Plus 6111 and prior is vulnerable to SQL Injection while linking the databases.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
zohocorp manageengine_adselfservice_plus 6.1
zohocorp manageengine_adselfservice_plus *
CVE-2021-37423 HIGH

Zoho ManageEngine ADSelfService Plus 6111 and prior is vulnerable to linked applications takeover.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
zohocorp manageengine_adselfservice_plus 6.1
zohocorp manageengine_adselfservice_plus *
CVE-2021-37424 HIGH

ManageEngine ADSelfService Plus before 6112 is vulnerable to domain user account takeover.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
zohocorp manageengine_admanager_plus *
zohocorp manageengine_admanager_plus 6.1
CVE-2021-37539 HIGH

Zoho ManageEngine ADManager Plus before 7111 is vulnerable to unrestricted file which leads to Remote code execution.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-434,

Products Affected

Vendor Product Version
zohocorp manageengine_admanager_plus *
zohocorp manageengine_admanager_plus 7.1
CVE-2021-37741 MEDIUM

ManageEngine ADManager Plus before 7111 has Pre-authentication RCE vulnerabilities.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-434,

Products Affected

Vendor Product Version
zohocorp manageengine_admanager_plus *
zohocorp manageengine_admanager_plus 7.1
CVE-2021-37761 HIGH

Zoho ManageEngine ADManager Plus version 7110 and prior is vulnerable to unrestricted file upload, leading to remote code execution.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-434,

Products Affected

Vendor Product Version
zohocorp manageengine_admanager_plus *
zohocorp manageengine_admanager_plus 7.1
CVE-2021-37762 HIGH

Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file overwrite leading to remote code execution.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-434,

Products Affected

Vendor Product Version
zohocorp manageengine_admanager_plus *
zohocorp manageengine_admanager_plus 7.1
CVE-2021-37918 HIGH

Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-434,

Products Affected

Vendor Product Version
zohocorp manageengine_admanager_plus *
zohocorp manageengine_admanager_plus 7.1
CVE-2021-37919 HIGH

Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-434,

Products Affected

Vendor Product Version
zohocorp manageengine_admanager_plus *
zohocorp manageengine_admanager_plus 7.1
CVE-2021-37920 HIGH

Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-434,

Products Affected

Vendor Product Version
zohocorp manageengine_admanager_plus *
zohocorp manageengine_admanager_plus 7.1
CVE-2021-37921 HIGH

Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-434,

Products Affected

Vendor Product Version
zohocorp manageengine_admanager_plus *
zohocorp manageengine_admanager_plus 7.1
CVE-2021-37922 MEDIUM

Zoho ManageEngine ADManager Plus version 7110 and prior is vulnerable to path traversal which allows copying of files from one directory to another.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,

Products Affected

Vendor Product Version
zohocorp manageengine_admanager_plus *
zohocorp manageengine_admanager_plus 7.1
CVE-2021-37923 HIGH

Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-434,

Products Affected

Vendor Product Version
zohocorp manageengine_admanager_plus *
zohocorp manageengine_admanager_plus 7.1
CVE-2021-37924 HIGH

Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-434,

Products Affected

Vendor Product Version
zohocorp manageengine_admanager_plus *
zohocorp manageengine_admanager_plus 7.1
CVE-2021-37925 HIGH

Zoho ManageEngine ADManager Plus version 7110 and prior has a Post-Auth OS command injection vulnerability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-78,

Products Affected

Vendor Product Version
zohocorp manageengine_admanager_plus *
zohocorp manageengine_admanager_plus 7.1
CVE-2021-37926 HIGH

Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-434,

Products Affected

Vendor Product Version
zohocorp manageengine_admanager_plus *
zohocorp manageengine_admanager_plus 7.1
CVE-2021-37927 HIGH

Zoho ManageEngine ADManager Plus version 7110 and prior allows account takeover via SSO.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-347,

Products Affected

Vendor Product Version
zohocorp manageengine_admanager_plus *
zohocorp manageengine_admanager_plus 7.1
CVE-2021-37928 HIGH

Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-434,

Products Affected

Vendor Product Version
zohocorp manageengine_admanager_plus *
zohocorp manageengine_admanager_plus 7.1
CVE-2021-37929 HIGH

Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-434,

Products Affected

Vendor Product Version
zohocorp manageengine_admanager_plus *
zohocorp manageengine_admanager_plus 7.1
CVE-2021-37930 HIGH

Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-434,

Products Affected

Vendor Product Version
zohocorp manageengine_admanager_plus *
zohocorp manageengine_admanager_plus 7.1
CVE-2021-37931 HIGH

Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-434,

Products Affected

Vendor Product Version
zohocorp manageengine_admanager_plus *
zohocorp manageengine_admanager_plus 7.1
CVE-2021-38298 HIGH

Zoho ManageEngine ADManager Plus before 7110 is vulnerable to blind XXE.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-611,

Products Affected

Vendor Product Version
zohocorp manageengine_admanager_plus *
zohocorp manageengine_admanager_plus 7.1
CVE-2021-40172 MEDIUM

Zoho ManageEngine Log360 before Build 5219 allows a CSRF attack on proxy settings.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
zohocorp manageengine_log360 *
zohocorp manageengine_log360 5.2
CVE-2021-40173 MEDIUM

Zoho ManageEngine Cloud Security Plus before Build 4117 allows a CSRF attack on the server proxy settings.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
zohocorp manageengine_cloud_security_plus *
zohocorp manageengine_cloud_security_plus 4.1
CVE-2021-40174 MEDIUM

Zoho ManageEngine Log360 before Build 5224 allows a CSRF attack for disabling the logon security settings.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
zohocorp manageengine_log360 *
zohocorp manageengine_log360 5.2
CVE-2021-40175 HIGH

Zoho ManageEngine Log360 before Build 5219 allows unrestricted file upload with resultant remote code execution.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-434,

Products Affected

Vendor Product Version
zohocorp manageengine_log360 *
zohocorp manageengine_log360 5.2
CVE-2021-40176 MEDIUM

Zoho ManageEngine Log360 before Build 5225 allows stored XSS.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zohocorp manageengine_log360 *
zohocorp manageengine_log360 5.2
CVE-2021-40177 HIGH

Zoho ManageEngine Log360 before Build 5225 allows remote code execution via BCP file overwrite.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
zohocorp manageengine_log360 *
zohocorp manageengine_log360 5.2
CVE-2021-40178 MEDIUM

Zoho ManageEngine Log360 before Build 5224 allows stored XSS via the LOGO_PATH key value in the logon settings.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zohocorp manageengine_log360 *
zohocorp manageengine_log360 5.2
CVE-2021-40493 HIGH

Zoho ManageEngine OpManager before 125437 is vulnerable to SQL Injection in the support diagnostics module. This occurs via the pollingObject parameter of the getDataCollectionFailureReason API.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
zohocorp manageengine_opmanager *
zohocorp manageengine_opmanager 12.5
CVE-2021-40539 HIGH

Zoho ManageEngine ADSelfService Plus version 6113 and prior is vulnerable to REST API authentication bypass with resultant remote code execution.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-706,CWE-706,

Products Affected

Vendor Product Version
zohocorp manageengine_adselfservice_plus 5.5
zohocorp manageengine_adselfservice_plus 6.1
zohocorp manageengine_adselfservice_plus 5.1
zohocorp manageengine_adselfservice_plus 5.8
zohocorp manageengine_adselfservice_plus 5.0.6
zohocorp manageengine_adselfservice_plus 5.3
zohocorp manageengine_adselfservice_plus 5.4
zohocorp manageengine_adselfservice_plus 4.5
zohocorp manageengine_adselfservice_plus 5.6
zohocorp manageengine_adselfservice_plus 5.2
zohocorp manageengine_adselfservice_plus 5.7
zohocorp manageengine_adselfservice_plus 5.0
zohocorp manageengine_adselfservice_plus 6.0
zohocorp manageengine_adselfservice_plus *
CVE-2021-41075 HIGH

The NetFlow Analyzer in Zoho ManageEngine OpManger before 125455 is vulnerable to SQL Injection in the Attacks Module API.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
zohocorp manageengine_opmanager *
zohocorp manageengine_opmanager 12.5
CVE-2021-41080 HIGH

Zoho ManageEngine Network Configuration Manager before 125465 is vulnerable to SQL Injection in a hardware details search.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
zohocorp manageengine_network_configuration_manager 12.5
zohocorp manageengine_network_configuration_manager *
zohocorp manageengine_network_configuration_manager 12.3
CVE-2021-41081 HIGH

Zoho ManageEngine Network Configuration Manager before 125465 is vulnerable to SQL Injection in a configuration search.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
zohocorp manageengine_network_configuration_manager 12.5
zohocorp manageengine_network_configuration_manager *
zohocorp manageengine_network_configuration_manager 12.3
CVE-2021-41288 HIGH

Zoho ManageEngine OpManager version 125466 and below is vulnerable to SQL Injection in the getReportData API.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
zohocorp manageengine_opmanager *
zohocorp manageengine_opmanager 12.5
CVE-2021-41827 MEDIUM

Zoho ManageEngine Remote Access Plus before 10.1.2121.1 has hardcoded credentials for read-only access. The credentials are in the source code that corresponds to the DCBackupRestore JAR archive.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-798,

Products Affected

Vendor Product Version
zohocorp manageengine_remote_access_plus *
CVE-2021-41828 MEDIUM

Zoho ManageEngine Remote Access Plus before 10.1.2121.1 has hardcoded credentials associated with resetPWD.xml.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-798,

Products Affected

Vendor Product Version
zohocorp manageengine_remote_access_plus *
CVE-2021-41829 MEDIUM

Zoho ManageEngine Remote Access Plus before 10.1.2121.1 relies on the application's build number to calculate a certain encryption key.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-330,

Products Affected

Vendor Product Version
zohocorp manageengine_remote_access_plus *
CVE-2021-41833 HIGH

Zoho ManageEngine Patch Connect Plus before 90099 is vulnerable to unauthenticated remote code execution.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-434,

Products Affected

Vendor Product Version
zohocorp manageengine_patch_connect_plus 9.0.0
zohocorp manageengine_patch_connect_plus *
CVE-2021-42002 HIGH

Zoho ManageEngine ADManager Plus before 7115 is vulnerable to a filter bypass that leads to file-upload remote code execution.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
zohocorp manageengine_admanager_plus *
zohocorp manageengine_admanager_plus 7.1
CVE-2021-42099 HIGH

Zoho ManageEngine M365 Manager Plus before 4421 is vulnerable to file-upload remote code execution.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-434,

Products Affected

Vendor Product Version
zohocorp manageengine_m365_manager_plus build_4119
zohocorp manageengine_m365_manager_plus build_4335
zohocorp manageengine_m365_manager_plus build_4304
zohocorp manageengine_m365_manager_plus build_4407
zohocorp manageengine_m365_manager_plus build_4100
zohocorp manageengine_m365_manager_plus build_4311
zohocorp manageengine_m365_manager_plus build_4320
zohocorp manageengine_m365_manager_plus build_4336
zohocorp manageengine_m365_manager_plus build_4401
zohocorp manageengine_m365_manager_plus build_4108
zohocorp manageengine_m365_manager_plus build_4333
zohocorp manageengine_m365_manager_plus build_4004
zohocorp manageengine_m365_manager_plus build_4414
zohocorp manageengine_m365_manager_plus build_4116
zohocorp manageengine_m365_manager_plus build_4209
zohocorp manageengine_m365_manager_plus build_4203
zohocorp manageengine_m365_manager_plus build_4216
zohocorp manageengine_m365_manager_plus build_4303
zohocorp manageengine_m365_manager_plus build_4413
zohocorp manageengine_m365_manager_plus build_4201
zohocorp manageengine_m365_manager_plus build_4412
zohocorp manageengine_m365_manager_plus build_4416
zohocorp manageengine_m365_manager_plus build_4218
zohocorp manageengine_m365_manager_plus build_4204
zohocorp manageengine_m365_manager_plus build_4322
zohocorp manageengine_m365_manager_plus build_4210
zohocorp manageengine_m365_manager_plus build_4013
zohocorp manageengine_m365_manager_plus build_4305
zohocorp manageengine_m365_manager_plus build_4318
zohocorp manageengine_m365_manager_plus build_4327
zohocorp manageengine_m365_manager_plus build_4400
zohocorp manageengine_m365_manager_plus build_4103
zohocorp manageengine_m365_manager_plus build_4012
zohocorp manageengine_m365_manager_plus build_4300
zohocorp manageengine_m365_manager_plus build_4117
zohocorp manageengine_m365_manager_plus build_4317
zohocorp manageengine_m365_manager_plus build_4217
zohocorp manageengine_m365_manager_plus build_4328
zohocorp manageengine_m365_manager_plus build_4106
zohocorp manageengine_m365_manager_plus build_4014
zohocorp manageengine_m365_manager_plus build_4406
zohocorp manageengine_m365_manager_plus build_4331
zohocorp manageengine_m365_manager_plus build_4005
zohocorp manageengine_m365_manager_plus build_4202
zohocorp manageengine_m365_manager_plus build_4321
zohocorp manageengine_m365_manager_plus build_4110
zohocorp manageengine_m365_manager_plus build_4206
zohocorp manageengine_m365_manager_plus build_4221
zohocorp manageengine_m365_manager_plus build_4113
zohocorp manageengine_m365_manager_plus build_4000
zohocorp manageengine_m365_manager_plus build_4200
zohocorp manageengine_m365_manager_plus build_4417
zohocorp manageengine_m365_manager_plus build_4205
zohocorp manageengine_m365_manager_plus build_4312
zohocorp manageengine_m365_manager_plus build_4007
zohocorp manageengine_m365_manager_plus build_4310
zohocorp manageengine_m365_manager_plus build_4219
zohocorp manageengine_m365_manager_plus build_4408
zohocorp manageengine_m365_manager_plus build_4111
zohocorp manageengine_m365_manager_plus build_4334
zohocorp manageengine_m365_manager_plus build_4105
zohocorp manageengine_m365_manager_plus build_4306
zohocorp manageengine_m365_manager_plus build_4102
zohocorp manageengine_m365_manager_plus build_4316
zohocorp manageengine_m365_manager_plus build_4008
zohocorp manageengine_m365_manager_plus build_4011
zohocorp manageengine_m365_manager_plus build_4104
zohocorp manageengine_m365_manager_plus build_4222
zohocorp manageengine_m365_manager_plus build_4112
zohocorp manageengine_m365_manager_plus build_4309
zohocorp manageengine_m365_manager_plus build_4415
zohocorp manageengine_m365_manager_plus build_4101
zohocorp manageengine_m365_manager_plus build_4207
zohocorp manageengine_m365_manager_plus build_4418
zohocorp manageengine_m365_manager_plus build_4301
zohocorp manageengine_m365_manager_plus build_4115
zohocorp manageengine_m365_manager_plus build_4410
zohocorp manageengine_m365_manager_plus build_4001
zohocorp manageengine_m365_manager_plus build_4109
zohocorp manageengine_m365_manager_plus build_4324
zohocorp manageengine_m365_manager_plus build_4403
zohocorp manageengine_m365_manager_plus build_4325
zohocorp manageengine_m365_manager_plus build_4220
zohocorp manageengine_m365_manager_plus build_4402
zohocorp manageengine_m365_manager_plus build_4215
zohocorp manageengine_m365_manager_plus build_4212
zohocorp manageengine_m365_manager_plus build_4002
zohocorp manageengine_m365_manager_plus build_4010
zohocorp manageengine_m365_manager_plus build_4302
zohocorp manageengine_m365_manager_plus build_4118
zohocorp manageengine_m365_manager_plus build_4330
zohocorp manageengine_m365_manager_plus build_4332
zohocorp manageengine_m365_manager_plus build_4419
zohocorp manageengine_m365_manager_plus -
zohocorp manageengine_m365_manager_plus build_4319
zohocorp manageengine_m365_manager_plus build_4009
zohocorp manageengine_m365_manager_plus build_4211
zohocorp manageengine_m365_manager_plus build_4003
zohocorp manageengine_m365_manager_plus build_4308
zohocorp manageengine_m365_manager_plus build_4214
zohocorp manageengine_m365_manager_plus build_4411
zohocorp manageengine_m365_manager_plus build_4213
zohocorp manageengine_m365_manager_plus build_4208
zohocorp manageengine_m365_manager_plus build_4329
CVE-2021-42847 HIGH

Zoho ManageEngine ADAudit Plus before 7006 allows attackers to write to, and execute, arbitrary files.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
zohocorp manageengine_adaudit_plus 7.0
zohocorp manageengine_adaudit_plus *
CVE-2021-42954 MEDIUM

Zoho Remote Access Plus Server Windows Desktop Binary fixed from 10.1.2121.1 is affected by incorrect access control. The installation directory is vulnerable to weak file permissions by allowing full control for Windows Everyone user group (non-admin or any guest users), thereby allowing privilege escalation, unauthorized password reset, stealing of sensitive data, access to credentials in plaintext, access to registry values, tampering with configuration files, etc.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve@mitre.org 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-732,

Products Affected

Vendor Product Version
zohocorp manageengine_remote_access_plus *
CVE-2021-42955 HIGH

Zoho Remote Access Plus Server Windows Desktop binary fixed in version 10.1.2132 is affected by an unauthorized password reset vulnerability. Because of the designed password reset mechanism, any non-admin Windows user can reset the password of the Remote Access Plus Server Admin account.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve@mitre.org 7.3 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L 2.0 4.7
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-732,

Products Affected

Vendor Product Version
zohocorp manageengine_remote_access_plus *
CVE-2021-43294 MEDIUM

Zoho ManageEngine SupportCenter Plus before 11016 is vulnerable to Reflected XSS in the Products module.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zohocorp manageengine_supportcenter_plus 11.0
CVE-2021-43295 MEDIUM

Zoho ManageEngine SupportCenter Plus before 11016 is vulnerable to Reflected XSS in the Accounts module.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zohocorp manageengine_supportcenter_plus 11.0
CVE-2021-43296 MEDIUM

Zoho ManageEngine SupportCenter Plus before 11016 is vulnerable to an SSRF attack in ActionExecutor.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-918,

Products Affected

Vendor Product Version
zohocorp manageengine_supportcenter_plus 11.0
CVE-2021-43319 HIGH

Zoho ManageEngine Network Configuration Manager before 125488 is vulnerable to command injection due to improper validation in the Ping functionality.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-77,

Products Affected

Vendor Product Version
zohocorp manageengine_network_configuration_manager 12.5
zohocorp manageengine_network_configuration_manager 12.4
zohocorp manageengine_network_configuration_manager 12.1
zohocorp manageengine_network_configuration_manager 11.0
zohocorp manageengine_network_configuration_manager 12.2
zohocorp manageengine_network_configuration_manager 12.0
zohocorp manageengine_network_configuration_manager 12.3
CVE-2021-44077 HIGH

Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulnerable to unauthenticated remote code execution. This is related to /RestAPI URLs in a servlet, and ImportTechnicians in the Struts configuration.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-306,CWE-306,

Products Affected

Vendor Product Version
zohocorp manageengine_servicedesk_plus *
zohocorp manageengine_servicedesk_plus 11.2
zohocorp manageengine_servicedesk_plus 11.1
zohocorp manageengine_servicedesk_plus_msp *
zohocorp manageengine_supportcenter_plus 11.0
zohocorp manageengine_servicedesk_plus_msp 10.5
zohocorp manageengine_supportcenter_plus *
zohocorp manageengine_servicedesk_plus 11.3
CVE-2021-44514 HIGH

OpUtils in Zoho ManageEngine OpManager 12.5 before 125490 mishandles authentication for a few audit directories.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-287,

Products Affected

Vendor Product Version
zohocorp manageengine_opmanager 12.5
CVE-2021-44515 HIGH

Zoho ManageEngine Desktop Central is vulnerable to authentication bypass, leading to remote code execution on the server, as exploited in the wild in December 2021. For Enterprise builds 10.1.2127.17 and earlier, upgrade to 10.1.2127.18. For Enterprise builds 10.1.2128.0 through 10.1.2137.2, upgrade to 10.1.2137.3. For MSP builds 10.1.2127.17 and earlier, upgrade to 10.1.2127.18. For MSP builds 10.1.2128.0 through 10.1.2137.2, upgrade to 10.1.2137.3.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
zohocorp manageengine_desktop_central *
CVE-2021-44525 HIGH

Zoho ManageEngine PAM360 before build 5303 allows attackers to modify a few aspects of application state because of a filter bypass in which authentication is not required.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-287,

Products Affected

Vendor Product Version
zohocorp manageengine_pam360 4.1
zohocorp manageengine_pam360 4.0
zohocorp manageengine_pam360 5.0
zohocorp manageengine_pam360 5.2
zohocorp manageengine_pam360 4.5
zohocorp manageengine_pam360 5.3
zohocorp manageengine_pam360 5.1
CVE-2021-44526 MEDIUM

Zoho ManageEngine ServiceDesk Plus before 12003 allows authentication bypass in certain admin configurations.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
zohocorp manageengine_servicedesk_plus 8.2
zohocorp manageengine_servicedesk_plus 9.0
zohocorp manageengine_servicedesk_plus 12.0
zohocorp manageengine_servicedesk_plus 9.4
zohocorp manageengine_servicedesk_plus 11.1
zohocorp manageengine_servicedesk_plus 10.5
zohocorp manageengine_servicedesk_plus 11.2
zohocorp manageengine_servicedesk_plus 11.0
zohocorp manageengine_servicedesk_plus 9.3
zohocorp manageengine_servicedesk_plus 10.0.0
zohocorp manageengine_servicedesk_plus 10.0
zohocorp manageengine_servicedesk_plus 8.1
zohocorp manageengine_servicedesk_plus 11.3
zohocorp manageengine_servicedesk_plus 9.2
zohocorp manageengine_servicedesk_plus 9.1
CVE-2021-44650 MEDIUM

Zoho ManageEngine M365 Manager Plus before Build 4419 allows remote command execution when updating proxy settings through the Admin ProxySettings and Tenant ProxySettings components.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
zohocorp manageengine_m365_manager_plus *
zohocorp manageengine_m365_manager_plus 4.4
CVE-2021-44651 MEDIUM

Zoho ManageEngine CloudSecurityPlus before Build 4117 allows remote code execution through the updatePersonalizeSettings component due to an improper security patch for CVE-2021-40175.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-434,

Products Affected

Vendor Product Version
zohocorp manageengine_cloud_security_plus *
zohocorp log360 *
zohocorp manageengine_cloud_security_plus 4.1
CVE-2021-44652 MEDIUM

Zoho ManageEngine O365 Manager Plus before Build 4416 allows remote code execution via BCP file overwrite through the ChangeDBAPI component.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
zohocorp manageengine_o365_manager_plus 4.4
zohocorp manageengine_o365_manager_plus *
CVE-2021-44675 HIGH

Zoho ManageEngine ServiceDesk Plus MSP before 10.5 Build 10534 is vulnerable to unauthenticated remote code execution due to a filter bypass in which authentication is not required.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-287,

Products Affected

Vendor Product Version
zohocorp manageengine_servicedesk_plus_msp *
zohocorp manageengine_servicedesk_plus_msp 10.5
CVE-2021-44676 HIGH

Zoho ManageEngine Access Manager Plus before 4203 allows anyone to view a few data elements (e.g., access control details) and modify a few aspects of the application state.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-287,

Products Affected

Vendor Product Version
zohocorp manageengine_access_manager_plus 4.2
zohocorp manageengine_access_manager_plus 4.1
CVE-2021-44757 MEDIUM

Zoho ManageEngine Desktop Central before 10.1.2137.9 and Desktop Central MSP before 10.1.2137.9 allow attackers to bypass authentication, and read sensitive information or upload an arbitrary ZIP archive to the server.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N 3.9 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
zohocorp manageengine_desktop_central *
zohocorp manageengine_desktop_central_managed_service_providers *
CVE-2021-46065 LOW

A Cross-site scripting (XSS) vulnerability in Secondary Email Field in Zoho ManageEngine ServiceDesk Plus 11.3 Build 11306 allows an attackers to inject arbitrary JavaScript code.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N 1.7 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zohocorp manageengine_servicedesk_plus 11.3
CVE-2021-46164 MEDIUM

Zoho ManageEngine Desktop Central before 10.0.662 allows remote code execution by an authenticated user who has complete access to the Reports module.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
zohocorp manageengine_desktop_central *
CVE-2021-46165 MEDIUM

Zoho ManageEngine Desktop Central before 10.0.662, during startup, launches an executable file from the batch files, but this file's path might not be properly defined.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
zohocorp manageengine_desktop_central *
CVE-2021-46166 MEDIUM

Zoho ManageEngine Desktop Central before 10.0.662 allows authenticated users to obtain sensitive information from the database by visiting the Reports page.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
zohocorp manageengine_desktop_central *
CVE-2022-23050 MEDIUM

ManageEngine AppManager15 (Build No:15510) allows an authenticated admin user to upload a DLL file to perform a DLL hijack attack inside the 'working' folder through the 'Upload Files / Binaries' functionality.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-427,

Products Affected

Vendor Product Version
zohocorp manageengine_applications_manager 15.5
zohocorp manageengine_applications_manager *
CVE-2022-23779 MEDIUM

Zoho ManageEngine Desktop Central before 10.1.2137.8 exposes the installed server name to anyone. The internal hostname can be discovered by reading HTTP redirect responses.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
zohocorp manageengine_desktop_central *
CVE-2022-23863 MEDIUM

Zoho ManageEngine Desktop Central before 10.1.2137.10 allows an authenticated user to change any user's login password.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
zohocorp manageengine_desktop_central *
CVE-2022-24305 HIGH

Zoho ManageEngine SharePoint Manager Plus before 4329 is vulnerable to a sensitive data leak that leads to privilege escalation.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
zohocorp manageengine_sharepoint_manager_plus -
CVE-2022-24306 HIGH

Zoho ManageEngine SharePoint Manager Plus before 4329 allows account takeover because authorization is mishandled.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-863,

Products Affected

Vendor Product Version
zohocorp manageengine_sharepoint_manager_plus -
CVE-2022-24446 LOW

An issue was discovered in Zoho ManageEngine Key Manager Plus 6.1.6. A user, with the level Operator, can see all SSH servers (and user information) even if no SSH server or user is associated to the operator.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 2.8 1.4

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
zohocorp manageengine_key_manager_plus 6.1.6
CVE-2022-24447 MEDIUM

An issue was discovered in Zoho ManageEngine Key Manager Plus before 6200. A service exposed by the application allows a user, with the level Operator, to access stored SSL certificates and associated key pairs during export.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
zohocorp manageengine_key_manager_plus 6.0
zohocorp manageengine_key_manager_plus *
zohocorp manageengine_key_manager_plus 6.1
CVE-2022-24681 MEDIUM

Zoho ManageEngine ADSelfService Plus before 6121 allows XSS via the welcome name attribute to the Reset Password, Unlock Account, or User Must Change Password screen.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zohocorp manageengine_adselfservice_plus 6.1
zohocorp manageengine_adselfservice_plus *
CVE-2022-24978 MEDIUM

Zoho ManageEngine ADAudit Plus before 7055 allows authenticated Privilege Escalation on Integrated products. This occurs because a password field is present in a JSON response.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-319,CWE-522,

Products Affected

Vendor Product Version
zohocorp manageengine_adaudit_plus 7.0
zohocorp manageengine_adaudit_plus *
CVE-2022-25245 MEDIUM

Zoho ManageEngine ServiceDesk Plus before 13001 allows anyone to know the organisation's default currency name.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-306,

Products Affected

Vendor Product Version
zohocorp manageengine_servicedesk_plus *
zohocorp manageengine_servicedesk_plus 13.0
CVE-2022-25373 LOW

Zoho ManageEngine SupportCenter Plus before 11020 allows Stored XSS in the request history.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zohocorp manageengine_supportcenter_plus 11.0
zohocorp manageengine_supportcenter_plus *
CVE-2022-26653 MEDIUM

Zoho ManageEngine Remote Access Plus before 10.1.2137.15 allows guest users to view domain details (such as the username and GUID of an administrator).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-425,

Products Affected

Vendor Product Version
zohocorp manageengine_remote_access_plus *
CVE-2022-26777 MEDIUM

Zoho ManageEngine Remote Access Plus before 10.1.2137.15 allows guest users to view license details.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-425,

Products Affected

Vendor Product Version
zohocorp manageengine_remote_access_plus *
CVE-2022-27908 MEDIUM

Zoho ManageEngine OpManager before 125588 (and before 125603) is vulnerable to authenticated SQL Injection in the Inventory Reports module.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-89,

Products Affected

Vendor Product Version
zohocorp manageengine_opmanager *
zohocorp manageengine_opmanager 12.5
CVE-2022-28219 HIGH

Cewolf in Zoho ManageEngine ADAudit Plus before 7060 is vulnerable to an unauthenticated XXE attack that leads to Remote Code Execution.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-611,

Products Affected

Vendor Product Version
zohocorp manageengine_adaudit_plus 7.0
zohocorp manageengine_adaudit_plus *
CVE-2022-28810 HIGH

Zoho ManageEngine ADSelfService Plus before build 6122 allows a remote authenticated administrator to execute arbitrary operating OS commands as SYSTEM via the policy custom script feature. Due to the use of a default administrator password, attackers may be able to abuse this functionality with minimal effort. Additionally, a remote and partially authenticated attacker may be able to inject arbitrary commands into the custom script due to an unsanitized password field.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H 0.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-78,CWE-798,CWE-798,

Products Affected

Vendor Product Version
zohocorp manageengine_adselfservice_plus 6.1
zohocorp manageengine_adselfservice_plus *
CVE-2022-28987 MEDIUM

Zoho ManageEngine ADSelfService Plus before 6202 allows attackers to perform username enumeration via a crafted POST request to /ServletAPI/accounts/login.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
zohocorp manageengine_adselfservice_plus 6.1
CVE-2022-29081 HIGH

Zoho ManageEngine Access Manager Plus before 4302, Password Manager Pro before 12007, and PAM360 before 5401 are vulnerable to access-control bypass on a few Rest API URLs (for SSOutAction. SSLAction. LicenseMgr. GetProductDetails. GetDashboard. FetchEvents. and Synchronize) via the ../RestAPI substring.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-22,

Products Affected

Vendor Product Version
zohocorp manageengine_pam360 4.1
zohocorp manageengine_pam360 4.5
zohocorp manageengine_pam360 5.3
zohocorp manageengine_pam360 5.4
zohocorp manageengine_password_manager_pro 10.1
zohocorp manageengine_password_manager_pro 11.2
zohocorp manageengine_pam360 5.1
zohocorp manageengine_password_manager_pro 12.0
zohocorp manageengine_password_manager_pro 11.3
zohocorp manageengine_pam360 4.0
zohocorp manageengine_password_manager_pro 10.2
zohocorp manageengine_access_manager_plus 4.2
zohocorp manageengine_pam360 5.0
zohocorp manageengine_pam360 5.2
zohocorp manageengine_access_manager_plus 4.1
zohocorp manageengine_access_manager_plus 4.0
zohocorp manageengine_password_manager_pro 10.3
zohocorp manageengine_password_manager_pro 11.1
zohocorp manageengine_access_manager_plus 4.3
zohocorp manageengine_password_manager_pro 10.4
CVE-2022-29457 MEDIUM

Zoho ManageEngine ADSelfService Plus before 6121, ADAuditPlus 7060, Exchange Reporter Plus 5701, and ADManagerPlus 7131 allow NTLM Hash disclosure during certain storage-path configuration steps.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-522,

Products Affected

Vendor Product Version
zohocorp manageengine_adselfservice_plus 6.1
zohocorp manageengine_admanager_plus *
zohocorp manageengine_exchange_reporter_plus 5.7
zohocorp manageengine_admanager_plus 7.1
zohocorp manageengine_adaudit_plus *
zohocorp manageengine_exchange_reporter_plus *
zohocorp manageengine_adselfservice_plus *
zohocorp manageengine_adaudit_plus 7.0.0
CVE-2022-29535 HIGH

Zoho ManageEngine OPManager through 125588 allows SQL Injection via a few default reports.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
zohocorp manageengine_opmanager *
zohocorp manageengine_opmanager 12.5
CVE-2022-32551 MEDIUM

Zoho ManageEngine ServiceDesk Plus MSP before 10604 allows path traversal (to WEBINF/web.xml from sample/WEB-INF/web.xml or sample/META-INF/web.xml).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,

Products Affected

Vendor Product Version
zohocorp manageengine_servicedesk_plus_msp *
zohocorp manageengine_servicedesk_plus_msp 10.6
CVE-2022-34829 MEDIUM

Zoho ManageEngine ADSelfService Plus before 6203 allows a denial of service (application restart) via a crafted payload to the Mobile App Deployment API.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
zohocorp manageengine_adselfservice_plus 6.2
zohocorp manageengine_adselfservice_plus *
CVE-2022-35403 MEDIUM

Zoho ManageEngine ServiceDesk Plus before 13008, ServiceDesk Plus MSP before 10606, and SupportCenter Plus before 11022 are affected by an unauthenticated local file disclosure vulnerability via ticket-creation email. (This also affects Asset Explorer before 6977 with authentication.)

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
zohocorp manageengine_servicedesk_plus *
zohocorp manageengine_servicedesk_plus 13.0
zohocorp manageengine_assetexplorer *
zohocorp manageengine_assetexplorer 6.9
zohocorp manageengine_servicedesk_plus_msp *
zohocorp manageengine_supportcenter_plus 11.0
zohocorp manageengine_supportcenter_plus *
zohocorp manageengine_servicedesk_plus_msp 10.6
CVE-2022-35404

ManageEngine Password Manager Pro 12100 and prior and OPManager 126100 and prior are vulnerable to unauthorized file and directory creation on a server machine.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.2 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H 3.9 4.2

Products Affected

Vendor Product Version
zohocorp manageengine_network_configuration_manager 12.5
zohocorp manageengine_opmanager *
zohocorp manageengine_netflow_analyzer *
zohocorp manageengine_opmanager 12.5
zohocorp manageengine_firewall_analyzer *
zohocorp manageengine_firewall_analyzer 12.5
zohocorp manageengine_network_configuration_manager *
zohocorp manageengine_netflow_analyzer 12.5
CVE-2022-35405

Zoho ManageEngine Password Manager Pro before 12101 and PAM360 before 5510 are vulnerable to unauthenticated remote code execution. (This also affects ManageEngine Access Manager Plus before 4303 with authentication.)

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
zohocorp manageengine_password_manager_pro 12.1
zohocorp manageengine_pam360 5.5
zohocorp manageengine_access_manager_plus *
zohocorp manageengine_pam360 *
zohocorp manageengine_password_manager_pro *
zohocorp manageengine_access_manager_plus 4.3
CVE-2022-36412

In Zoho ManageEngine SupportCenter Plus before 11023, V3 API requests are vulnerable to authentication bypass. (An API request may, in effect, be executed with the credentials of a user who authenticated in the past.)

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
zohocorp manageengine_supportcenter_plus 11.0
CVE-2022-36413

Zoho ManageEngine ADSelfService Plus through 6203 is vulnerable to a brute-force attack that leads to a password reset on IDM applications.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N 3.9 5.2

Products Affected

Vendor Product Version
zohocorp manageengine_adselfservice_plus 6.2
zohocorp manageengine_adselfservice_plus *
CVE-2022-36923

Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, Firewall Analyzer, and OpUtils before 2022-07-27 through 2022-07-28 (125657, 126002, 126104, and 126118) allow unauthenticated attackers to obtain a user's API key, and then access external APIs.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

Products Affected

Vendor Product Version
zohocorp manageengine_network_configuration_manager 12.5
zohocorp manageengine_netflow_analyzer 12.6
zohocorp manageengine_opmanager 12.6
zohocorp manageengine_opmanager_msp 12.5
zohocorp manageengine_opmanager_msp 12.6
zohocorp manageengine_opmanager_plus 12.5
zohocorp manageengine_firewall_analyzer 12.6
zohocorp manageengine_network_configuration_manager 12.6
zohocorp manageengine_oputils 12.6
zohocorp manageengine_opmanager 12.5
zohocorp manageengine_oputils 12.5
zohocorp manageengine_firewall_analyzer 12.5
zohocorp manageengine_opmanager_plus 12.6
zohocorp manageengine_netflow_analyzer 12.5
CVE-2022-37024

Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, and OpUtils before 2022-07-29 through 2022-07-30 ( 125658, 126003, 126105, and 126120) allow authenticated users to make database changes that lead to remote code execution.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
zohocorp manageengine_network_configuration_manager 12.5
zohocorp manageengine_netflow_analyzer 12.6
zohocorp manageengine_opmanager 12.6
zohocorp manageengine_opmanager_msp 12.5
zohocorp manageengine_opmanager_msp 12.6
zohocorp manageengine_opmanager_plus 12.5
zohocorp manageengine_firewall_analyzer 12.6
zohocorp manageengine_network_configuration_manager 12.6
zohocorp manageengine_oputils 12.6
zohocorp manageengine_opmanager 12.5
zohocorp manageengine_oputils 12.5
zohocorp manageengine_firewall_analyzer 12.5
zohocorp manageengine_opmanager_plus 12.6
zohocorp manageengine_netflow_analyzer 12.5
CVE-2022-38772

Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, and OpUtils before 125658, 126003, 126105, and 126120 allow authenticated users to make database changes that lead to remote code execution in the NMAP feature.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
zohocorp manageengine_network_configuration_manager 12.5
zohocorp manageengine_netflow_analyzer 12.6
zohocorp manageengine_opmanager 12.6
zohocorp manageengine_opmanager_msp 12.5
zohocorp manageengine_opmanager_msp 12.6
zohocorp manageengine_opmanager_plus 12.5
zohocorp manageengine_network_configuration_manager 12.6
zohocorp manageengine_oputils 12.6
zohocorp manageengine_opmanager 12.5
zohocorp manageengine_oputils 12.5
zohocorp manageengine_opmanager_plus 12.6
zohocorp manageengine_netflow_analyzer 12.5
CVE-2022-40300

Zoho ManageEngine Password Manager Pro through 12120 before 12121, PAM360 through 5550 before 5600, and Access Manager Plus through 4304 before 4305 have multiple SQL injection vulnerabilities.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
zohocorp manageengine_pam360 5.4
zohocorp manageengine_password_manager_pro 6.8
zohocorp manageengine_password_manager_pro 7.1
zohocorp manageengine_password_manager_pro 4.7
zohocorp manageengine_password_manager_pro 6.4
zohocorp manageengine_password_manager_pro 9.4
zohocorp manageengine_password_manager_pro 10.2
zohocorp manageengine_password_manager_pro 6.6
zohocorp manageengine_password_manager_pro 8.6
zohocorp manageengine_password_manager_pro 7.0
zohocorp manageengine_password_manager_pro 5.4
zohocorp manageengine_access_manager_plus 4.3
zohocorp manageengine_pam360 4.5
zohocorp manageengine_password_manager_pro 9.6
zohocorp manageengine_password_manager_pro 5.0
zohocorp manageengine_password_manager_pro 4.6
zohocorp manageengine_pam360 5.1
zohocorp manageengine_password_manager_pro 7.6
zohocorp manageengine_pam360 5.0
zohocorp manageengine_password_manager_pro 7.5
zohocorp manageengine_password_manager_pro 6.0
zohocorp manageengine_password_manager_pro 6.3
zohocorp manageengine_pam360 5.5
zohocorp manageengine_password_manager_pro 8.1
zohocorp manageengine_pam360 4.1
zohocorp manageengine_password_manager_pro 8.2
zohocorp manageengine_password_manager_pro 6.9
zohocorp manageengine_password_manager_pro 10.1
zohocorp manageengine_password_manager_pro 8.4
zohocorp manageengine_password_manager_pro 8.5
zohocorp manageengine_password_manager_pro 6.1
zohocorp manageengine_password_manager_pro 12.0
zohocorp manageengine_password_manager_pro 10.0
zohocorp manageengine_password_manager_pro 5.2
zohocorp manageengine_password_manager_pro 6.2
zohocorp manageengine_password_manager_pro 9.9
zohocorp manageengine_pam360 4.0
zohocorp manageengine_password_manager_pro 9.2
zohocorp manageengine_access_manager_plus 4.2
zohocorp manageengine_password_manager_pro 9.8
zohocorp manageengine_password_manager_pro 6.5
zohocorp manageengine_access_manager_plus 4.1
zohocorp manageengine_access_manager_plus 4.0
zohocorp manageengine_password_manager_pro 10.3
zohocorp manageengine_password_manager_pro 10.4
zohocorp manageengine_password_manager_pro 8.3
zohocorp manageengine_password_manager_pro 9.1
zohocorp manageengine_password_manager_pro 12.1
zohocorp manageengine_pam360 5.3
zohocorp manageengine_password_manager_pro 11.2
zohocorp manageengine_password_manager_pro 9.0
zohocorp manageengine_password_manager_pro 9.5
zohocorp manageengine_password_manager_pro 9.7
zohocorp manageengine_password_manager_pro 11.3
zohocorp manageengine_password_manager_pro 8.0
zohocorp manageengine_password_manager_pro 8.7
zohocorp manageengine_pam360 5.2
zohocorp manageengine_password_manager_pro 6.7
zohocorp manageengine_password_manager_pro 5.3
zohocorp manageengine_password_manager_pro 5.1
zohocorp manageengine_password_manager_pro 11.1
zohocorp manageengine_password_manager_pro 4.8
zohocorp manageengine_password_manager_pro 9.3
CVE-2022-40770

Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulnerable to authenticated command injection. This can be exploited by high-privileged users.

Products Affected

Vendor Product Version
zohocorp manageengine_servicedesk_plus *
zohocorp manageengine_servicedesk_plus 13.0
zohocorp manageengine_servicedesk_plus_msp *
zohocorp manageengine_supportcenter_plus 11.0
zohocorp manageengine_supportcenter_plus *
zohocorp manageengine_servicedesk_plus_msp 10.6
CVE-2022-40771

Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulnerable to an XML External Entity attack that leads to Information Disclosure.

Products Affected

Vendor Product Version
zohocorp manageengine_servicedesk_plus *
zohocorp manageengine_servicedesk_plus_msp 13.0
zohocorp manageengine_servicedesk_plus 14.0
zohocorp manageengine_assetexplorer *
zohocorp manageengine_assetexplorer 6.9
zohocorp manageengine_servicedesk_plus_msp *
zohocorp manageengine_supportcenter_plus 11.0
zohocorp manageengine_supportcenter_plus *
CVE-2022-40772

Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulnerable to a validation bypass that allows users to access sensitive data via the report module.

Products Affected

Vendor Product Version
zohocorp manageengine_servicedesk_plus *
zohocorp manageengine_servicedesk_plus 14.0
zohocorp manageengine_assetexplorer *
zohocorp manageengine_assetexplorer 6.9
zohocorp manageengine_servicedesk_plus_msp *
zohocorp manageengine_supportcenter_plus 11.0
zohocorp manageengine_supportcenter_plus *
zohocorp manageengine_servicedesk_plus_msp 10.6
CVE-2022-40773

Zoho ManageEngine ServiceDesk Plus MSP before 10609 and SupportCenter Plus before 11025 are vulnerable to privilege escalation. This allows users to obtain sensitive data during an exportMickeyList export of requests from the list view.

Products Affected

Vendor Product Version
zohocorp manageengine_servicedesk_plus_msp *
zohocorp manageengine_supportcenter_plus 11.0
zohocorp manageengine_supportcenter_plus *
zohocorp manageengine_servicedesk_plus_msp 10.6
CVE-2022-41339

In Zoho ManageEngine Mobile Device Manager Plus before 10.1.2207.5, the User Administration module allows privilege escalation.

Products Affected

Vendor Product Version
zohocorp manageengine_mobile_device_manager_plus 10.1.2207.4
CVE-2022-41978

Auth. (subscriber+) Arbitrary Options Update vulnerability in Zoho CRM Lead Magnet plugin <= 1.7.5.8 on WordPress.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N 2.8 3.6
audit@patchstack.com 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
zohocorp zoho_crm_lead_magnet *
CVE-2022-42903

Zoho ManageEngine SupportCenter Plus through 11024 allows low-privileged users to view the organization users list.

Products Affected

Vendor Product Version
zohocorp manageengine_supportcenter_plus 11.0
CVE-2022-42904

Zoho ManageEngine ADManager Plus through 7151 allows authenticated admin users to execute the commands in proxy settings.

Products Affected

Vendor Product Version
zohocorp manageengine_admanager_plus *
zohocorp manageengine_admanager_plus 7.1
CVE-2022-43473

A blind XML External Entity (XXE) vulnerability exists in the Add UCS Device functionality of ManageEngine OpManager 12.6.168. A specially crafted XML file can lead to SSRF. An attacker can serve a malicious XML payload to trigger this vulnerability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N 2.8 2.5
talos-cna@cisco.com 5.8 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L 1.6 3.7

Products Affected

Vendor Product Version
zohocorp manageengine_opmanager *
zohocorp manageengine_opmanager_plus *
zohocorp manageengine_opmanager_msp *
zohocorp manageengine_opmanager 12.6
zohocorp manageengine_opmanager_plus 12.6
zohocorp manageengine_opmanager_msp 12.6
CVE-2022-43671

Zoho ManageEngine Password Manager Pro before 12122, PAM360 before 5711, and Access Manager Plus before 4306 allow SQL Injection.

Products Affected

Vendor Product Version
zohocorp manageengine_pam360 5.7
zohocorp manageengine_password_manager_pro 12.1
zohocorp manageengine_access_manager_plus *
zohocorp manageengine_pam360 *
zohocorp manageengine_password_manager_pro *
zohocorp manageengine_access_manager_plus 4.3
CVE-2022-43672

Zoho ManageEngine Password Manager Pro before 12122, PAM360 before 5711, and Access Manager Plus before 4306 allow SQL Injection (in a different software component relative to CVE-2022-43671.

Products Affected

Vendor Product Version
zohocorp manageengine_pam360 5.7
zohocorp manageengine_password_manager_pro 12.1
zohocorp manageengine_access_manager_plus *
zohocorp manageengine_pam360 *
zohocorp manageengine_password_manager_pro *
zohocorp manageengine_access_manager_plus 4.3
CVE-2022-47523

Zoho ManageEngine Access Manager Plus before 4309, Password Manager Pro before 12210, and PAM360 before 5801 are vulnerable to SQL Injection.

Products Affected

Vendor Product Version
zohocorp manageengine_password_manager_pro 12.2
zohocorp manageengine_access_manager_plus *
zohocorp manageengine_pam360 *
zohocorp manageengine_password_manager_pro *
zohocorp manageengine_pam360 5.8
zohocorp manageengine_access_manager_plus 4.3
CVE-2022-47577

An issue was discovered in the endpoint protection agent in Zoho ManageEngine Device Control Plus 10.1.2228.15. Despite configuring complete restrictions on USB pendrives, USB HDD devices, memory cards, USB connections to mobile devices, etc., it is still possible to bypass the USB restrictions by making use of a virtual machine (VM). This allows a file to be exchanged outside the laptop/system. VMs can be created by any user (even without admin rights). The data exfiltration can occur without any record in the audit trail of Windows events on the host machine. NOTE: the vendor's position is "it's not a vulnerability in our product."

Products Affected

Vendor Product Version
zohocorp manageengine_device_control_plus 10.1.2228.15
CVE-2022-47578

An issue was discovered in the endpoint protection agent in Zoho ManageEngine Device Control Plus 10.1.2228.15. Despite configuring complete restrictions on USB pendrives, USB HDD devices, memory cards, USB connections to mobile devices, etc., it is still possible to bypass the USB restrictions by booting into Safe Mode. This allows a file to be exchanged outside the laptop/system. Safe Mode can be launched by any user (even without admin rights). Data exfiltration can occur, and also malware might be introduced onto the system. NOTE: the vendor's position is "it's not a vulnerability in our product."

Products Affected

Vendor Product Version
zohocorp manageengine_device_control_plus 10.1.2228.15
CVE-2022-47966

Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache Santuario xmlsec (aka XML Security for Java) 1.4.1, because the xmlsec XSLT features, by design in that version, make the application responsible for certain security protections, and the ManageEngine applications did not provide those protections. This affects Access Manager Plus before 4308, Active Directory 360 before 4310, ADAudit Plus before 7081, ADManager Plus before 7162, ADSelfService Plus before 6211, Analytics Plus before 5150, Application Control Plus before 10.1.2220.18, Asset Explorer before 6983, Browser Security Plus before 11.1.2238.6, Device Control Plus before 10.1.2220.18, Endpoint Central before 10.1.2228.11, Endpoint Central MSP before 10.1.2228.11, Endpoint DLP before 10.1.2137.6, Key Manager Plus before 6401, OS Deployer before 1.1.2243.1, PAM 360 before 5713, Password Manager Pro before 12124, Patch Manager Plus before 10.1.2220.18, Remote Access Plus before 10.1.2228.11, Remote Monitoring and Management (RMM) before 10.1.41. ServiceDesk Plus before 14004, ServiceDesk Plus MSP before 13001, SupportCenter Plus before 11026, and Vulnerability Manager Plus before 10.1.2220.18. Exploitation is only possible if SAML SSO has ever been configured for a product (for some products, exploitation requires that SAML SSO is currently active).

Products Affected

Vendor Product Version
zohocorp manageengine_servicedesk_plus *
zohocorp manageengine_admanager_plus *
zohocorp manageengine_adselfservice_plus 6.2
zohocorp manageengine_desktop_central *
zohocorp manageengine_endpoint_dlp_plus *
zohocorp manageengine_device_control_plus *
zohocorp manageengine_servicedesk_plus 14.0
zohocorp manageengine_adaudit_plus *
zohocorp manageengine_servicedesk_plus_msp *
zohocorp manageengine_access_manager_plus *
zohocorp manageengine_adaudit_plus 7.0
zohocorp manageengine_servicedesk_plus_msp 13.0
zohocorp manageengine_ad360 4.3
zohocorp manageengine_patch_manager_plus *
zohocorp manageengine_supportcenter_plus 11.0
zohocorp manageengine_analytics_plus *
zohocorp manageengine_password_manager_pro *
zohocorp manageengine_application_control_plus *
zohocorp manageengine_access_manager_plus 4.3
zohocorp manageengine_rmm_central *
zohocorp manageengine_os_deployer *
zohocorp manageengine_password_manager_pro 12.1
zohocorp manageengine_analytics_plus 5.1
zohocorp manageengine_admanager_plus 7.1
zohocorp manageengine_browser_security_plus *
zohocorp manageengine_key_manager_plus *
zohocorp manageengine_assetexplorer *
zohocorp manageengine_assetexplorer 6.9
zohocorp manageengine_key_manager_plus 6.4
zohocorp manageengine_remote_monitoring_and_management_central *
zohocorp manageengine_pam360 5.7
zohocorp application_control_plus *
zohocorp manageengine_ad360 *
zohocorp manageengine_remote_access_plus *
zohocorp manageengine_pam360 *
zohocorp manageengine_adselfservice_plus *
zohocorp manageengine_vulnerability_manager_plus *
CVE-2022-48362

Zoho ManageEngine Desktop Central and Desktop Central MSP before 10.1.2137.2 allow directory traversal via computerName to AgentLogUploadServlet. A remote, authenticated attacker could upload arbitrary code that would be executed when Desktop Central is restarted. (The attacker could authenticate by exploiting CVE-2021-44515.)

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
zohocorp manageengine_desktop_central *
CVE-2023-0169

The Zoho Forms WordPress plugin before 3.0.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

Products Affected

Vendor Product Version
zohocorp zoho_forms *
CVE-2023-22624

Zoho ManageEngine Exchange Reporter Plus before 5708 allows attackers to conduct XXE attacks.

Products Affected

Vendor Product Version
zohocorp manageengine_exchange_reporter_plus 5.7
zohocorp manageengine_exchange_reporter_plus *
CVE-2023-2291

Static credentials exist in the PostgreSQL data used in ManageEngine Access Manager Plus (AMP) build 4309, ManageEngine Password Manager Pro, and ManageEngine PAM360. These credentials could allow a malicious actor to modify configuration data that would escalate their permissions from that of a low-privileged user to an Administrative user.

Products Affected

Vendor Product Version
zohocorp manageengine_pam360 *
zohocorp manageengine_password_manager_pro *
zohocorp manageengine_access_manager_plus 4.3
CVE-2023-22964

Zoho ManageEngine ServiceDesk Plus MSP before 10611, and 13x before 13004, is vulnerable to authentication bypass when LDAP authentication is enabled.

Products Affected

Vendor Product Version
zohocorp manageengine_servicedesk_plus_msp 13.0
zohocorp manageengine_servicedesk_plus_msp 10.6
CVE-2023-23073

Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via PO in the purchase component.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

Products Affected

Vendor Product Version
zohocorp manageengine_servicedesk_plus 14.0
CVE-2023-23074

Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via embedding videos in the language component.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

Products Affected

Vendor Product Version
zohocorp manageengine_servicedesk_plus 14.0
CVE-2023-23075

Cross Site Scripting (XSS) vulnerability in Zoho Asset Explorer 6.9 via the credential name when creating a new Assets Workstation.

Products Affected

Vendor Product Version
zohocorp manageengine_assetexplorer 6.9
CVE-2023-23076

OS Command injection vulnerability in Support Center Plus 11 via Executor in Action when creating new schedules.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
zohocorp manageengine_supportcenter_plus 11.0
CVE-2023-23077

Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 13 via the comment field when adding a new status comment.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

Products Affected

Vendor Product Version
zohocorp manageengine_servicedesk_plus 13.0
CVE-2023-23078

Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via the comment field when changing the credentials in the Assets.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

Products Affected

Vendor Product Version
zohocorp manageengine_servicedesk_plus 14.0
CVE-2023-26600

ManageEngine ServiceDesk Plus through 14104, ServiceDesk Plus MSP through 14000, Support Center Plus through 14000, and Asset Explorer through 6987 allow privilege escalation via query reports.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6

Products Affected

Vendor Product Version
zohocorp manageengine_servicedesk_plus *
zohocorp manageengine_servicedesk_plus_msp 13.0
zohocorp manageengine_assetexplorer *
zohocorp manageengine_assetexplorer 6.9
zohocorp manageengine_servicedesk_plus_msp *
zohocorp manageengine_supportcenter_plus 11.0
zohocorp manageengine_servicedesk_plus 14.1
zohocorp manageengine_supportcenter_plus *
CVE-2023-26601

Zoho ManageEngine ServiceDesk Plus through 14104, Asset Explorer through 6987, ServiceDesk Plus MSP before 14000, and Support Center Plus before 14000 allow Denial-of-Service (DoS).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
zohocorp manageengine_servicedesk_plus *
zohocorp manageengine_supportcenter_plus 14.0
zohocorp manageengine_assetexplorer *
zohocorp manageengine_assetexplorer 6.9
zohocorp manageengine_servicedesk_plus_msp *
zohocorp manageengine_servicedesk_plus 14.1
zohocorp manageengine_supportcenter_plus *
zohocorp manageengine_servicedesk_plus_msp 14.0
CVE-2023-28340

Zoho ManageEngine Applications Manager through 16320 allows the admin user to conduct an XXE attack.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N 1.2 5.2

Products Affected

Vendor Product Version
zohocorp manageengine_applications_manager 16.3
zohocorp manageengine_applications_manager *
CVE-2023-28341

Stored Cross site scripting (XSS) vulnerability in Zoho ManageEngine Applications Manager through 16340 allows an unauthenticated user to inject malicious javascript on the incorrect login details page.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

Products Affected

Vendor Product Version
zohocorp manageengine_applications_manager 16.3
zohocorp manageengine_applications_manager *
zohocorp manageengine_applications_manager 15.9
CVE-2023-28342

Zoho ManageEngine ADSelfService Plus before 6218 allows anyone to conduct a Denial-of-Service attack via the Mobile App Authentication API.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
zohocorp manageengine_adselfservice_plus 5.5
zohocorp manageengine_adselfservice_plus 6.1
zohocorp manageengine_adselfservice_plus 6.2
zohocorp manageengine_adselfservice_plus 5.1
zohocorp manageengine_adselfservice_plus 5.8
zohocorp manageengine_adselfservice_plus 5.0.6
zohocorp manageengine_adselfservice_plus 5.3
zohocorp manageengine_adselfservice_plus 5.4
zohocorp manageengine_adselfservice_plus 4.5
zohocorp manageengine_adselfservice_plus 5.6
zohocorp manageengine_adselfservice_plus 5.2
zohocorp manageengine_adselfservice_plus 5.7
zohocorp manageengine_adselfservice_plus 5.0
zohocorp manageengine_adselfservice_plus 6.0
CVE-2023-29084

Zoho ManageEngine ADManager Plus before 7181 allows for authenticated users to exploit command injection via Proxy settings.

Products Affected

Vendor Product Version
zohocorp manageengine_admanager_plus *
zohocorp manageengine_admanager_plus 7.1
CVE-2023-29442

Zoho ManageEngine Applications Manager before 16400 allows proxy.html DOM XSS.

Products Affected

Vendor Product Version
zohocorp manageengine_applications_manager 16.3
zohocorp manageengine_applications_manager *
CVE-2023-29443

Zoho ManageEngine ServiceDesk Plus before 14105, ServiceDesk Plus MSP before 14200, SupportCenter Plus before 14200, and AssetExplorer before 6989 allow SDAdmin attackers to conduct XXE attacks via a crafted server that sends malformed XML from a Reports integration API endpoint.

Products Affected

Vendor Product Version
zohocorp manageengine_servicedesk_plus *
zohocorp manageengine_supportcenter_plus 14.0
zohocorp manageengine_assetexplorer 6.9
zohocorp manageengine_servicedesk_plus_msp *
zohocorp manageengine_servicedesk_plus 14.1
zohocorp manageengine_supportcenter_plus *
zohocorp manageengine_servicedesk_plus_msp 14.0
CVE-2023-29505

An issue was discovered in Zoho ManageEngine Network Configuration Manager 12.6.165. The WebSocket endpoint allows Cross-site WebSocket hijacking.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve@mitre.org 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N 2.8 1.4

Products Affected

Vendor Product Version
zohocorp manageengine_network_configuration_manager 12.6
CVE-2023-31099

Zoho ManageEngine OPManager through 126323 allows an authenticated user to achieve remote code execution via probe servers.

Products Affected

Vendor Product Version
zohocorp manageengine_opmanager *
zohocorp manageengine_opmanager 12.6
CVE-2023-31492

Zoho ManageEngine ADManager Plus version 7182 and prior disclosed the default passwords for the account restoration of unauthorized domains to the authenticated users.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6

Products Affected

Vendor Product Version
zohocorp manageengine_admanager_plus *
zohocorp manageengine_admanager_plus 7.1
CVE-2023-32783

The event analysis component in Zoho ManageEngine ADAudit Plus 7.1.1 allows an attacker to bypass audit detection by creating or renaming user accounts with a "$" symbol suffix. NOTE: the vendor states "We do not consider this as a security bug and it's an expected behaviour."

Products Affected

Vendor Product Version
zohocorp manageengine_adaudit_plus 7.1.1
CVE-2023-34197

Zoho ManageEngine ServiceDesk Plus before 14202, ServiceDesk Plus MSP before 14300, and SupportCenter Plus before 14300 have a privilege escalation vulnerability in the Release module that allows unprivileged users to access the Reminders of a release ticket and make modifications.

Products Affected

Vendor Product Version
zohocorp manageengine_servicedesk_plus *
zohocorp manageengine_servicedesk_plus_msp 14.2
zohocorp manageengine_servicedesk_plus 14.2
zohocorp manageengine_supportcenter_plus 14.2
zohocorp manageengine_servicedesk_plus_msp *
zohocorp manageengine_supportcenter_plus *
CVE-2023-35719

ManageEngine ADSelfService Plus GINA Client Insufficient Verification of Data Authenticity Authentication Bypass Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of ManageEngine ADSelfService Plus. Authentication is not required to exploit this vulnerability. The specific flaw exists within the Password Reset Portal used by the GINA client. The issue results from the lack of proper authentication of data received via HTTP. An attacker can leverage this vulnerability to bypass authentication and execute code in the context of SYSTEM. Was ZDI-CAN-17009.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.8 MEDIUM CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 0.9 5.9

Products Affected

Vendor Product Version
zohocorp manageengine_adselfservice_plus 6.1
CVE-2023-35785

Zoho ManageEngine Active Directory 360 versions 4315 and below, ADAudit Plus 7202 and below, ADManager Plus 7200 and below, Asset Explorer 6993 and below and 7xxx 7002 and below, Cloud Security Plus 4161 and below, Data Security Plus 6110 and below, Eventlog Analyzer 12301 and below, Exchange Reporter Plus 5709 and below, Log360 5315 and below, Log360 UEBA 4045 and below, M365 Manager Plus 4529 and below, M365 Security Plus 4529 and below, Recovery Manager Plus 6061 and below, ServiceDesk Plus 14204 and below and 143xx 14302 and below, ServiceDesk Plus MSP 14300 and below, SharePoint Manager Plus 4402 and below, and Support Center Plus 14300 and below are vulnerable to 2FA bypass via a few TOTP authenticators. Note: A valid pair of username and password is required to leverage this vulnerability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

Products Affected

Vendor Product Version
zohocorp manageengine_servicedesk_plus *
zohocorp manageengine_m365_security_plus 4.5
zohocorp manageengine_admanager_plus *
zohocorp manageengine_assetexplorer 7.0
zohocorp manageengine_servicedesk_plus_msp 14.3
zohocorp manageengine_adaudit_plus *
zohocorp manageengine_servicedesk_plus_msp *
zohocorp manageengine_datasecurity_plus 6.1
zohocorp manageengine_sharepoint_manager_plus *
zohocorp manageengine_sharepoint_manager_plus 4.4
zohocorp manageengine_cloud_security_plus 4.1
zohocorp manageengine_m365_security_plus *
zohocorp manageengine_servicedesk_plus 14.2
zohocorp manageengine_exchange_reporter_plus 5.7
zohocorp manageengine_servicedesk_plus 14.3
zohocorp manageengine_ad360 4.3
zohocorp manageengine_log360_ueba 4.0
zohocorp manageengine_log360 5.3
zohocorp manageengine_adaudit_plus 7.2
zohocorp manageengine_eventlog_analyzer *
zohocorp manageengine_recoverymanager_plus *
zohocorp manageengine_m365_manager_plus *
zohocorp manageengine_m365_manager_plus 4.5
zohocorp manageengine_assetexplorer *
zohocorp manageengine_assetexplorer 6.9
zohocorp manageengine_cloud_security_plus *
zohocorp manageengine_recoverymanager_plus 6.0
zohocorp manageengine_eventlog_analyzer 12.3.0
zohocorp manageengine_log360 *
zohocorp manageengine_admanager_plus 7.2
zohocorp manageengine_ad360 *
zohocorp manageengine_supportcenter_plus 14.3
zohocorp manageengine_datasecurity_plus *
zohocorp manageengine_exchange_reporter_plus *
zohocorp manageengine_supportcenter_plus *
CVE-2023-35786

Zoho ManageEngine ADManager Plus before 7183 allows admin users to exploit an XXE issue to view files.

Products Affected

Vendor Product Version
zohocorp manageengine_admanager_plus *
zohocorp manageengine_admanager_plus 7.1
CVE-2023-35854

Zoho ManageEngine ADSelfService Plus through 6113 has an authentication bypass that can be exploited to steal the domain controller session token for identity spoofing, thereby achieving the privileges of the domain controller administrator. NOTE: the vendor's perspective is that they have "found no evidence or detail of a security vulnerability."

Products Affected

Vendor Product Version
zohocorp manageengine_adselfservice_plus 6.1
zohocorp manageengine_adselfservice_plus *
CVE-2023-37308

Zoho ManageEngine ADAudit Plus before 7100 allows XSS via the username field.

Products Affected

Vendor Product Version
zohocorp manageengine_adaudit_plus 7.0
zohocorp manageengine_adaudit_plus *
CVE-2023-38331

Zoho ManageEngine Support Center Plus 14001 and below is vulnerable to stored XSS in the products module.

Products Affected

Vendor Product Version
zohocorp manageengine_supportcenter_plus 14.0
zohocorp manageengine_supportcenter_plus 8.1
zohocorp manageengine_supportcenter_plus 8.0
zohocorp manageengine_supportcenter_plus 11.0
CVE-2023-38332

Zoho ManageEngine ADManager Plus through 7201 allow authenticated users to take over another user's account via sensitive information disclosure.

Products Affected

Vendor Product Version
zohocorp manageengine_admanager_plus *
zohocorp manageengine_admanager_plus 7.2
CVE-2023-38333

Zoho ManageEngine Applications Manager through 16530 allows reflected XSS while logged in.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

Products Affected

Vendor Product Version
zohocorp manageengine_applications_manager 16.5
zohocorp manageengine_applications_manager *
CVE-2023-38743

Zoho ManageEngine ADManager Plus before Build 7200 allows admin users to execute commands on the host machine.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

Products Affected

Vendor Product Version
zohocorp manageengine_admanager_plus *
CVE-2023-39912

Zoho ManageEngine ADManager Plus before 7203 allows Help Desk Technician users to read arbitrary files on the machine where this product is installed.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N 1.2 3.6

Products Affected

Vendor Product Version
zohocorp manageengine_admanager_plus *
zohocorp manageengine_admanager_plus 7.2
CVE-2023-41904

Zoho ManageEngine ADManager Plus before 7203 allows 2FA bypass (for AuthToken generation) in REST APIs.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N 2.8 2.5

Products Affected

Vendor Product Version
zohocorp manageengine_admanager_plus *
zohocorp manageengine_admanager_plus 7.2
CVE-2023-47211

A directory traversal vulnerability exists in the uploadMib functionality of ManageEngine OpManager 12.7.258. A specially crafted HTTP request can lead to arbitrary file creation. An attacker can send a malicious MiB file to trigger this vulnerability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
talos-cna@cisco.com 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L 3.1 5.3
nvd@nist.gov 8.6 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N 3.9 4.0

Products Affected

Vendor Product Version
zohocorp manageengine_opmanager *
zohocorp manageengine_netflow_analyzer *
zohocorp manageengine_opmanager_msp *
zohocorp manageengine_network_configuration_manager 12.7
zohocorp manageengine_network_configuration_manager *
zohocorp manageengine_opmanager 12.7
zohocorp manageengine_opmanager_plus *
zohocorp manageengine_netflow_analyzer 12.7
zohocorp manageengine_oputils *
zohocorp manageengine_oputils 12.7
zohocorp manageengine_opmanager_msp 12.7
zohocorp manageengine_opmanager_plus 12.7
zohocorp manageengine_firewall_analyzer *
zohocorp manageengine_firewall_analyzer 12.7
CVE-2023-4767

A CRLF injection vulnerability has been found in ManageEngine Desktop Central affecting version 9.1.0. This vulnerability could allow a remote attacker to inject arbitrary HTTP headers and perform HTTP response splitting attacks via the fileName parameter in /STATE_ID/1613157927228/InvSWMetering.csv.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve-coordination@incibe.es 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

Products Affected

Vendor Product Version
zohocorp manageengine_desktop_central 9.1.0
CVE-2023-4768

A CRLF injection vulnerability has been found in ManageEngine Desktop Central affecting version 9.1.0. This vulnerability could allow a remote attacker to inject arbitrary HTTP headers and perform HTTP response splitting attacks via the fileName parameter in /STATE_ID/1613157927228/InvSWMetering.pdf.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7
cve-coordination@incibe.es 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

Products Affected

Vendor Product Version
zohocorp manageengine_desktop_central 9.1.0
CVE-2023-4769

A SSRF vulnerability has been found in ManageEngine Desktop Central affecting version 9.1.0, specifically the /smtpConfig.do component. This vulnerability could allow an authenticated attacker to launch targeted attacks, such as a cross-port attack, service enumeration and other attacks via HTTP requests.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9
cve-coordination@incibe.es 6.6 MEDIUM CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H 0.7 5.9

Products Affected

Vendor Product Version
zohocorp manageengine_desktop_central 9.1.0
CVE-2023-48646

Zoho ManageEngine RecoveryManager Plus before 6070 allows admin users to execute arbitrary commands via proxy settings.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

Products Affected

Vendor Product Version
zohocorp manageengine_recoverymanager_plus 6.0
zohocorp manageengine_recoverymanager_plus *
CVE-2023-48792

Zoho ManageEngine ADAudit Plus through 7250 is vulnerable to SQL Injection in the report export option.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
zohocorp manageengine_adaudit_plus *
zohocorp manageengine_adaudit_plus 7.2
CVE-2023-48793

Zoho ManageEngine ADAudit Plus through 7250 allows SQL Injection in the aggregate report feature.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
zohocorp manageengine_adaudit_plus *
zohocorp manageengine_adaudit_plus 7.2
CVE-2023-49330

Zoho ManageEngine ADAudit Plus versions below 7271 allows SQL Injection while getting aggregate report data.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
0fc0942c-577d-436f-ae8e-945763c79b02 8.3 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L 2.8 5.5

Products Affected

Vendor Product Version
zohocorp manageengine_adaudit_plus *
zohocorp manageengine_adaudit_plus 7.2
CVE-2023-49331

Zoho ManageEngine ADAudit Plus versions below 7271 allows SQL injection in the aggregate reports search option.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
0fc0942c-577d-436f-ae8e-945763c79b02 8.3 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L 2.8 5.5

Products Affected

Vendor Product Version
zohocorp manageengine_adaudit_plus *
zohocorp manageengine_adaudit_plus 7.2
CVE-2023-49332

Zoho ManageEngine ADAudit Plus versions below 7271 allows SQL injection while adding file shares.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
0fc0942c-577d-436f-ae8e-945763c79b02 8.3 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L 2.8 5.5

Products Affected

Vendor Product Version
zohocorp manageengine_adaudit_plus *
zohocorp manageengine_adaudit_plus 7.2
CVE-2023-49333

Zoho ManageEngine ADAudit Plus versions below 7271 allows SQL injection in the dashboard graph feature.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
0fc0942c-577d-436f-ae8e-945763c79b02 8.3 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L 2.8 5.5

Products Affected

Vendor Product Version
zohocorp manageengine_adaudit_plus *
zohocorp manageengine_adaudit_plus 7.2
CVE-2023-49334

Zoho ManageEngine ADAudit Plus versions below 7271 allows SQL Injection while exporting a full summary report.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
0fc0942c-577d-436f-ae8e-945763c79b02 8.3 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L 2.8 5.5

Products Affected

Vendor Product Version
zohocorp manageengine_adaudit_plus *
zohocorp manageengine_adaudit_plus 7.2
CVE-2023-49335

Zoho ManageEngine ADAudit Plus versions below 7271 allows SQL injection while getting file server details.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
0fc0942c-577d-436f-ae8e-945763c79b02 8.3 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L 2.8 5.5

Products Affected

Vendor Product Version
zohocorp manageengine_adaudit_plus *
zohocorp manageengine_adaudit_plus 7.2
CVE-2023-49943

Zoho ManageEngine ServiceDesk Plus MSP before 14504 allows stored XSS (by a low-privileged technician) via a task's name in a time sheet.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

Products Affected

Vendor Product Version
zohocorp manageengine_servicedesk_plus_msp 14.5
zohocorp manageengine_servicedesk_plus_msp *
CVE-2023-50785

Zoho ManageEngine ADAudit Plus before 7270 allows admin users to view names of arbitrary directories via path traversal.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 2.7 LOW CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N 1.2 1.4

Products Affected

Vendor Product Version
zohocorp manageengine_adaudit_plus 7.2
CVE-2023-50891

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Zoho Forms Form plugin for WordPress – Zoho Forms allows Stored XSS.This issue affects Form plugin for WordPress – Zoho Forms: from n/a through 3.0.1.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7
audit@patchstack.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L 2.3 3.7

Products Affected

Vendor Product Version
zohocorp zoho_forms *
CVE-2023-6105

An information disclosure vulnerability exists in multiple ManageEngine products that can result in encryption keys being exposed. A low-privileged OS user with access to the host where an affected ManageEngine product is installed can view and use the exposed key to decrypt product database passwords. This allows the user to access the ManageEngine product database.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
vulnreport@tenable.com 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 1.8 3.6
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 1.8 3.6

Products Affected

Vendor Product Version
zohocorp manageengine_patch_connect_plus 9.0.0
zohocorp manageengine_m365_security_plus 4.5
zohocorp manageengine_admanager_plus *
zohocorp manageengine_servicedesk_plus_msp 14.3
zohocorp manageengine_device_control_plus *
zohocorp manageengine_adselfservice_plus 6.3
zohocorp manageengine_adaudit_plus *
zohocorp manageengine_access_manager_plus *
zohocorp manageengine_network_configuration_manager 12.7
zohocorp manageengine_sharepoint_manager_plus *
zohocorp manageengine_netflow_analyzer 12.7
zohocorp manageengine_m365_security_plus *
zohocorp manageengine_exchange_reporter_plus 5.7
zohocorp manageengine_oputils *
zohocorp manageengine_log360_ueba *
zohocorp manageengine_patch_manager_plus *
zohocorp manageengine_firewall_analyzer 12.5
zohocorp manageengine_secure_gateway_server *
zohocorp manageengine_access_manager_plus 4.3
zohocorp manageengine_recoverymanager_plus *
zohocorp manageengine_network_configuration_manager 12.5
zohocorp manageengine_os_deployer *
zohocorp manageengine_m365_manager_plus *
zohocorp manageengine_cloud_security_plus *
zohocorp manageengine_network_configuration_manager *
zohocorp manageengine_endpoint_central_msp *
zohocorp manageengine_opmanager 12.7
zohocorp manageengine_secure_gateway_server 9.0
zohocorp manageengine_admanager_plus 7.2
zohocorp manageengine_appcreator *
zohocorp manageengine_oputils 12.7
zohocorp manageengine_remote_access_plus *
zohocorp manageengine_datasecurity_plus *
zohocorp manageengine_exchange_reporter_plus *
zohocorp manageengine_pam360 *
zohocorp manageengine_supportcenter_plus *
zohocorp manageengine_firewall_analyzer 12.7
zohocorp manageengine_servicedesk_plus *
zohocorp manageengine_assetexplorer 7.0
zohocorp manageengine_endpoint_dlp_plus *
zohocorp manageengine_servicedesk_plus_msp *
zohocorp manageengine_datasecurity_plus 6.1
zohocorp manageengine_sharepoint_manager_plus 4.4
zohocorp manageengine_cloud_security_plus 4.1
zohocorp manageengine_endpoint_central *
zohocorp manageengine_servicedesk_plus 14.3
zohocorp manageengine_log360_ueba 4.0
zohocorp manageengine_oputils 12.5
zohocorp manageengine_analytics_plus *
zohocorp manageengine_password_manager_pro *
zohocorp manageengine_adaudit_plus 7.2
zohocorp manageengine_application_control_plus *
zohocorp manageengine_netflow_analyzer 12.5
zohocorp manageengine_opmanager *
zohocorp manageengine_netflow_analyzer *
zohocorp manageengine_m365_manager_plus 4.5
zohocorp manageengine_browser_security_plus *
zohocorp manageengine_assetexplorer *
zohocorp manageengine_recoverymanager_plus 6.0
zohocorp manageengine_remote_monitoring_and_management *
zohocorp manageengine_mobile_device_manager_plus 10.1.2207.4
zohocorp manageengine_opmanager 12.5
zohocorp manageengine_supportcenter_plus 14.3
zohocorp manageengine_firewall_analyzer *
zohocorp manageengine_mobile_device_manager_plus *
zohocorp manageengine_adselfservice_plus *
zohocorp manageengine_vulnerability_manager_plus *
CVE-2024-0252

ManageEngine ADSelfService Plus versions 6401 and below are vulnerable to the remote code execution due to the improper handling in the load balancer component. Authentication is required in order to exploit this vulnerability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
0fc0942c-577d-436f-ae8e-945763c79b02 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
zohocorp manageengine_adselfservice_plus 6.4
zohocorp manageengine_adselfservice_plus *
CVE-2024-0253

ManageEngine ADAudit Plus versions 7270 and below are vulnerable to the Authenticated SQL injection in home Graph-Data.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
0fc0942c-577d-436f-ae8e-945763c79b02 8.3 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L 2.8 5.5
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
zohocorp manageengine_adaudit_plus *
zohocorp manageengine_adaudit_plus 7.2
CVE-2024-0269

ManageEngine ADAudit Plus versions 7270 and below are vulnerable to the Authenticated SQL injection in File-Summary DrillDown. This issue has been fixed and released in version 7271.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
0fc0942c-577d-436f-ae8e-945763c79b02 8.3 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L 2.8 5.5
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
zohocorp manageengine_adaudit_plus *
zohocorp manageengine_adaudit_plus 7.2
CVE-2024-10203

Zohocorp ManageEngine EndPoint Central versions 11.3.2416.21 and below, 11.3.2428.9 and below are vulnerable to Arbitrary File Deletion in the agent installed machines.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
0fc0942c-577d-436f-ae8e-945763c79b02 7.0 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 1.0 5.9

Products Affected

Vendor Product Version
zohocorp manageengine_endpoint_central *
CVE-2024-10839

Zohocorp ManageEngine SharePoint Manager Plus versions 4503 and prior are vulnerable to authenticated XML External Entity (XXE) in the Management option.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
0fc0942c-577d-436f-ae8e-945763c79b02 8.5 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L 3.1 4.7

Products Affected

Vendor Product Version
zohocorp manageengine_sharepoint_manager_plus 4.0
zohocorp manageengine_sharepoint_manager_plus 4.2
zohocorp manageengine_sharepoint_manager_plus 4.5
zohocorp manageengine_sharepoint_manager_plus 4.3
zohocorp manageengine_sharepoint_manager_plus 4.1
zohocorp manageengine_sharepoint_manager_plus 4.4
CVE-2024-21775

Zoho ManageEngine Exchange Reporter Plus versions 5714 and below are vulnerable to the Authenticated SQL injection in report exporting feature.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
0fc0942c-577d-436f-ae8e-945763c79b02 8.3 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L 2.8 5.5

Products Affected

Vendor Product Version
zohocorp manageengine_exchange_reporter_plus 5.7
zohocorp manageengine_exchange_reporter_plus *
CVE-2024-21791

Zoho ManageEngine ADAudit Plus versions below 7271 allows SQL Injection in lockout history option. Note: Non-admin users cannot exploit this vulnerability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
0fc0942c-577d-436f-ae8e-945763c79b02 4.7 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L 1.2 3.4

Products Affected

Vendor Product Version
zohocorp manageengine_adaudit_plus *
zohocorp manageengine_adaudit_plus 7.2
CVE-2024-27310

Zoho ManageEngine ADSelfService Plus versions below 6401 are vulnerable to the DOS attack due to the malicious LDAP input.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
0fc0942c-577d-436f-ae8e-945763c79b02 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4

Products Affected

Vendor Product Version
zohocorp manageengine_adselfservice_plus 6.4
zohocorp manageengine_adselfservice_plus *
CVE-2024-27311

Zohocorp ManageEngine DDI Central versions 4001 and prior were vulnerable to directory traversal vulnerability which allows the user to upload new files to the server folder.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
0fc0942c-577d-436f-ae8e-945763c79b02 5.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L 2.1 3.4

Products Affected

Vendor Product Version
zohocorp manageengine_ddi_central *
CVE-2024-27312

Zohocorp ManageEngine PAM360 version 6601 is vulnerable to authorization vulnerability which allows a low-privileged user to perform admin actions. Note: This vulnerability affects only the PAM360 6600 version. No other versions are applicable to this vulnerability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
0fc0942c-577d-436f-ae8e-945763c79b02 8.1 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N 2.8 5.2

Products Affected

Vendor Product Version
zohocorp manageengine_pam360 6.6
zohocorp manageengine_pam360 *
CVE-2024-27313

Zoho ManageEngine PAM360 is vulnerable to Stored XSS vulnerability. This vulnerability is applicable only in the version 6610.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
0fc0942c-577d-436f-ae8e-945763c79b02 6.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N 2.1 4.2

Products Affected

Vendor Product Version
zohocorp manageengine_pam360 6.6
CVE-2024-27314

Zoho ManageEngine ServiceDesk Plus versions below 14730, ServiceDesk Plus MSP below 14720 and SupportCenter Plus below 14720 are vulnerable to stored XSS in the Custom Actions menu on the request details. This vulnerability can be exploited only by the SDAdmin role users.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
0fc0942c-577d-436f-ae8e-945763c79b02 2.4 LOW CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N 0.9 1.4

Products Affected

Vendor Product Version
zohocorp manageengine_servicedesk_plus *
zohocorp manageengine_servicedesk_plus_msp 14.7
zohocorp manageengine_servicedesk_plus 14.7
zohocorp manageengine_supportcenter_plus 14.7
zohocorp manageengine_servicedesk_plus_msp *
zohocorp manageengine_supportcenter_plus *
CVE-2024-36036

Zoho ManageEngine ADAudit Plus versions 7260 and below allows unauthorized local agent machine users to access sensitive information and modifying the agent configuration.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
0fc0942c-577d-436f-ae8e-945763c79b02 4.2 MEDIUM CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N 1.1 2.7

Products Affected

Vendor Product Version
zohocorp manageengine_adaudit_plus *
zohocorp manageengine_adaudit_plus 7.2
CVE-2024-36037

Zoho ManageEngine ADAudit Plus versions 7260 and below allows unauthorized local agent machine users to view the session recordings.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
0fc0942c-577d-436f-ae8e-945763c79b02 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 1.8 3.6

Products Affected

Vendor Product Version
zohocorp manageengine_adaudit_plus *
zohocorp manageengine_adaudit_plus 7.2
CVE-2024-36485

Zohocorp ManageEngine ADAudit Plus versions below 8121 are vulnerable to SQL Injection in Technician reports option.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
0fc0942c-577d-436f-ae8e-945763c79b02 8.3 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L 2.8 5.5

Products Affected

Vendor Product Version
zohocorp manageengine_adaudit_plus *
zohocorp manageengine_adaudit_plus 8.1
CVE-2024-36518

Zohocorp ManageEngine ADAudit Plus versions below 8110 are vulnerable to authenticated SQL Injection in attack surface analyzer's dashboard.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
0fc0942c-577d-436f-ae8e-945763c79b02 8.3 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L 2.8 5.5

Products Affected

Vendor Product Version
zohocorp manageengine_adaudit_plus *
zohocorp manageengine_adaudit_plus 8.1
CVE-2024-38871

Zohocorp ManageEngine Exchange Reporter Plus versions 5717 and below are vulnerable to the authenticated SQL injection in the reports module.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
0fc0942c-577d-436f-ae8e-945763c79b02 8.3 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L 2.8 5.5

Products Affected

Vendor Product Version
zohocorp manageengine_exchange_reporter_plus 5.7
zohocorp manageengine_exchange_reporter_plus *
CVE-2024-38872

Zohocorp ManageEngine Exchange Reporter Plus versions 5717 and below are vulnerable to the authenticated SQL injection in the monitoring module.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
0fc0942c-577d-436f-ae8e-945763c79b02 8.3 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L 2.8 5.5

Products Affected

Vendor Product Version
zohocorp manageengine_exchange_reporter_plus 5.7
zohocorp manageengine_exchange_reporter_plus *
CVE-2024-41140

Zohocorp ManageEngine Applications Manager versions 174000 and prior are vulnerable to the incorrect authorization in the update user function.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
0fc0942c-577d-436f-ae8e-945763c79b02 8.1 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N 2.8 5.2

Products Affected

Vendor Product Version
zohocorp manageengine_applications_manager 17.0
zohocorp manageengine_applications_manager *
zohocorp manageengine_applications_manager 17.3
CVE-2024-48878

Zohocorp ManageEngine ADManager Plus versions 7241 and prior are vulnerable to SQL Injection in Archived Audit Report.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
0fc0942c-577d-436f-ae8e-945763c79b02 8.3 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L 2.8 5.5

Products Affected

Vendor Product Version
zohocorp manageengine_admanager_plus *
zohocorp manageengine_admanager_plus 7.2
CVE-2024-49574

Zohocorp ManageEngine ADAudit Plus versions below 8123 are vulnerable to SQL Injection in the reports module.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
0fc0942c-577d-436f-ae8e-945763c79b02 8.3 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L 2.8 5.5

Products Affected

Vendor Product Version
zohocorp manageengine_adaudit_plus *
zohocorp manageengine_adaudit_plus 8.1
CVE-2024-50053

Zohocorp ManageEngine ServiceDesk Plus versions below 14920 , ServiceDesk Plus MSP and SupportCentre Plus versions below 14910 are vulnerable to Stored XSS in the task feature.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
0fc0942c-577d-436f-ae8e-945763c79b02 6.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N 2.1 4.2

Products Affected

Vendor Product Version
zohocorp manageengine_servicedesk_plus *
zohocorp manageengine_servicedesk_plus 14.9
zohocorp manageengine_supportcentre_plus 14.9
zohocorp manageengine_servicedesk_plus_msp *
zohocorp manageengine_servicedesk_plus_msp 14.9
zohocorp manageengine_supportcentre_plus *
CVE-2024-52323

Zohocorp ManageEngine Analytics Plus versions below 6100 are vulnerable to authenticated sensitive data exposure which allows the users to retrieve sensitive tokens associated to the org-admin account.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6
0fc0942c-577d-436f-ae8e-945763c79b02 8.1 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N 2.8 5.2

Products Affected

Vendor Product Version
zohocorp manageengine_analytics_plus *
CVE-2024-5466

Zohocorp ManageEngine OpManager and Remote Monitoring and Management versions 128329 and below are vulnerable to the authenticated remote code execution in the deploy agent option.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
0fc0942c-577d-436f-ae8e-945763c79b02 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
zohocorp manageengine_opmanager *
zohocorp manageengine_opmanager_plus *
zohocorp manageengine_opmanager_plus 12.8
zohocorp manageengine_opmanager_msp *
zohocorp manageengine_opmanager 12.8
zohocorp manageengine_opmanager_msp 12.8
zohocorp manageengine_remote_monitoring_and_management_central -
CVE-2024-5471

Zohocorp ManageEngine DDI Central versions 4001 and prior were vulnerable to agent takeover vulnerability due to the hard-coded sensitive keys.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
0fc0942c-577d-436f-ae8e-945763c79b02 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
zohocorp manageengine_ddi_central *
CVE-2024-5608

Zohocorp ManageEngine ADAudit Plus versions below 8121 are vulnerable to SQL Injection in the technician reports feature.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
0fc0942c-577d-436f-ae8e-945763c79b02 8.3 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L 2.8 5.5

Products Affected

Vendor Product Version
zohocorp manageengine_adaudit_plus *
zohocorp manageengine_adaudit_plus 8.1
CVE-2024-9097

ManageEngine Endpoint Central versions before 11.3.2440.09 are vulnerable to IDOR vulnerability which allows the attacker to change the username in the chat.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
0fc0942c-577d-436f-ae8e-945763c79b02 3.5 LOW CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N 2.1 1.4

Products Affected

Vendor Product Version
zohocorp manageengine_endpoint_central *
CVE-2024-9459

Zohocorp ManageEngine Exchange Reporter Plus versions 5718 and prior are vulnerable to authenticated SQL Injection in reports module.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
0fc0942c-577d-436f-ae8e-945763c79b02 8.3 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L 2.8 5.5

Products Affected

Vendor Product Version
zohocorp manageengine_exchange_reporter_plus 5.7
zohocorp manageengine_exchange_reporter_plus *
CVE-2025-10020

Zohocorp ManageEngine ADManager Plus version before 8024 are vulnerable to authenticated command injection vulnerability in the Custom Script component.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
0fc0942c-577d-436f-ae8e-945763c79b02 8.5 HIGH CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H 1.8 6.0
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
zohocorp manageengine_admanager_plus *
zohocorp manageengine_admanager_plus 8.0
CVE-2025-11248

ZohoCorp ManageEngine Endpoint Central versions prior to 11.4.2528.05 are vulnerable to a sensitive information logging issue. An authenticated user with access to the logs could potentially obtain the sensitive agent token.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
0fc0942c-577d-436f-ae8e-945763c79b02 3.2 LOW CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N 1.5 1.4

Products Affected

Vendor Product Version
zohocorp manageengine_endpoint_central *
CVE-2025-11250

Zohocorp ManageEngine ADSelfService Plus versions before 6519 are vulnerable to Authentication Bypass due to improper filter configurations.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
0fc0942c-577d-436f-ae8e-945763c79b02 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N 3.9 5.2

Products Affected

Vendor Product Version
zohocorp manageengine_adselfservice_plus 6.5
zohocorp manageengine_adselfservice_plus *
CVE-2025-11669

Zohocorp ManageEngine PAM360 versions before 8202; Password Manager Pro versions before 13221; Access Manager Plus versions prior to 4401 are vulnerable to an authorization issue in the initiate remote session functionality.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
0fc0942c-577d-436f-ae8e-945763c79b02 8.1 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N 2.8 5.2

Products Affected

Vendor Product Version
zohocorp manageengine_pam360 8.2
zohocorp manageengine_password_manager_pro 13.2
zohocorp manageengine_access_manager_plus 4.4
zohocorp manageengine_access_manager_plus *
zohocorp manageengine_pam360 *
zohocorp manageengine_password_manager_pro *
CVE-2025-11670

Zohocorp ManageEngine ADManager Plus versions before 8025 are vulnerable to NTLM Hash Exposure.  This vulnerability is exploitable only by technicians who have the “Impersonate as Admin” option enabled.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
0fc0942c-577d-436f-ae8e-945763c79b02 6.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N 3.1 2.7

Products Affected

Vendor Product Version
zohocorp manageengine_admanager_plus *
zohocorp manageengine_admanager_plus 8.0
CVE-2025-1723

Zohocorp ManageEngine ADSelfService Plus versions 6510 and below are vulnerable to account takeover due to the session mishandling. Valid account holders in the setup only have the potential to exploit this bug.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
0fc0942c-577d-436f-ae8e-945763c79b02 8.1 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N 2.8 5.2

Products Affected

Vendor Product Version
zohocorp manageengine_adselfservice_plus 6.5
zohocorp manageengine_adselfservice_plus *
CVE-2025-27709

Zohocorp ManageEngine ADAudit Plus versions 8510 and prior are vulnerable to authenticated SQL injection in the Service Account Auditing reports.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
0fc0942c-577d-436f-ae8e-945763c79b02 8.3 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L 2.8 5.5

Products Affected

Vendor Product Version
zohocorp manageengine_adaudit_plus *
zohocorp manageengine_adaudit_plus 8.5
CVE-2025-27930

Zohocorp ManageEngine Applications Manager versions 176600 and prior are vulnerable to stored cross-site scripting in the File/Directory monitor.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
0fc0942c-577d-436f-ae8e-945763c79b02 6.4 MEDIUM CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N 1.2 5.2
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

Products Affected

Vendor Product Version
zohocorp manageengine_applications_manager *
zohocorp manageengine_applications_manager 17.6
CVE-2025-3444

Zohocorp ManageEngine ServiceDesk Plus MSP and SupportCenter Plus versions below 14920 are vulnerable to authenticated Local File Inclusion (LFI) in the Admin module, where help card content is loaded.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
0fc0942c-577d-436f-ae8e-945763c79b02 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6

Products Affected

Vendor Product Version
zohocorp manageengine_supportcenter_plus 14.9
zohocorp manageengine_servicedesk_plus_msp *
zohocorp manageengine_servicedesk_plus_msp 14.9
zohocorp manageengine_supportcenter_plus *
CVE-2025-36527

Zohocorp ManageEngine ADAudit Plus versions below 8511 are vulnerable to SQL injection while exporting reports.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
0fc0942c-577d-436f-ae8e-945763c79b02 8.3 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L 2.8 5.5

Products Affected

Vendor Product Version
zohocorp manageengine_adaudit_plus *
zohocorp manageengine_adaudit_plus 8.5
CVE-2025-36528

Zohocorp ManageEngine ADAudit Plus versions 8510 and prior are vulnerable to authenticated SQL injection in Service Account Auditing reports.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
0fc0942c-577d-436f-ae8e-945763c79b02 8.3 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L 2.8 5.5

Products Affected

Vendor Product Version
zohocorp manageengine_adaudit_plus *
zohocorp manageengine_adaudit_plus 8.5
CVE-2025-3833

Zohocorp ManageEngine ADSelfService Plus versions 6513 and prior are vulnerable to authenticated SQL injection in the MFA reports.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
0fc0942c-577d-436f-ae8e-945763c79b02 8.1 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N 2.8 5.2

Products Affected

Vendor Product Version
zohocorp manageengine_adselfservice_plus 6.5
zohocorp manageengine_adselfservice_plus *
CVE-2025-3834

Zohocorp ManageEngine ADAudit Plus versions 8510 and prior are vulnerable to authenticated SQL injection in the OU History report.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
0fc0942c-577d-436f-ae8e-945763c79b02 8.1 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N 2.8 5.2

Products Affected

Vendor Product Version
zohocorp manageengine_adaudit_plus *
zohocorp manageengine_adaudit_plus 8.5
CVE-2025-3835

Zohocorp ManageEngine Exchange Reporter Plus versions 5721 and prior are vulnerable to Remote code execution in the Content Search module.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
0fc0942c-577d-436f-ae8e-945763c79b02 9.6 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H 2.8 6.0

Products Affected

Vendor Product Version
zohocorp manageengine_exchange_reporter_plus 5.7
zohocorp manageengine_exchange_reporter_plus *
CVE-2025-3836

Zohocorp ManageEngine ADAudit Plus versions 8510 and prior are vulnerable to authenticated SQL injection in the logon events aggregate report.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
0fc0942c-577d-436f-ae8e-945763c79b02 8.3 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L 2.8 5.5

Products Affected

Vendor Product Version
zohocorp manageengine_adaudit_plus *
zohocorp manageengine_adaudit_plus 8.5
CVE-2025-41403

Zohocorp ManageEngine ADAudit Plus versions 8510 and prior are vulnerable to authenticated SQL injection while fetching service account audit data.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
0fc0942c-577d-436f-ae8e-945763c79b02 8.3 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L 2.8 5.5

Products Affected

Vendor Product Version
zohocorp manageengine_adaudit_plus *
zohocorp manageengine_adaudit_plus 8.5
CVE-2025-41407

Zohocorp ManageEngine ADAudit Plus versions below 8511 are vulnerable to SQL injection in the OU History report.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
0fc0942c-577d-436f-ae8e-945763c79b02 8.3 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L 2.8 5.5

Products Affected

Vendor Product Version
zohocorp manageengine_adaudit_plus *
zohocorp manageengine_adaudit_plus 8.5
CVE-2025-41444

Zohocorp ManageEngine ADAudit Plus versions 8510 and prior are vulnerable to authenticated SQL injection in the alerts module.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
0fc0942c-577d-436f-ae8e-945763c79b02 8.3 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L 2.8 5.5

Products Affected

Vendor Product Version
zohocorp manageengine_adaudit_plus *
zohocorp manageengine_adaudit_plus 8.5
CVE-2025-5342

Zohocorp ManageEngine Exchange Reporter Plus through 5721 are vulnerable to ReDOS vulnerability in the search module.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
0fc0942c-577d-436f-ae8e-945763c79b02 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L 2.8 1.4

Products Affected

Vendor Product Version
zohocorp manageengine_exchange_reporter_plus 5.7
zohocorp manageengine_exchange_reporter_plus *
CVE-2025-5343

Zohocorp ManageEngine Exchange Reporter Plus versions through 5721 are vulnerable to Stored Cross Site Scripting in the Instant Search option.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
0fc0942c-577d-436f-ae8e-945763c79b02 6.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N 2.1 4.2

Products Affected

Vendor Product Version
zohocorp manageengine_exchange_reporter_plus 5.7
zohocorp manageengine_exchange_reporter_plus *
CVE-2025-5347

Zohocorp ManageEngine Exchange Reporter Plus versions before 5723 are vulnerable to Stored Cross Site Scripting in the reports module.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
0fc0942c-577d-436f-ae8e-945763c79b02 6.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N 2.1 4.2

Products Affected

Vendor Product Version
zohocorp manageengine_exchange_reporter_plus 5.7
zohocorp manageengine_exchange_reporter_plus *
CVE-2025-5366

Zohocorp ManageEngine Exchange reporter Plus version 5722 and below are vulnerable to Stored XSS in the Folder-wise read mails with subject report.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
0fc0942c-577d-436f-ae8e-945763c79b02 8.1 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N 2.8 5.2

Products Affected

Vendor Product Version
zohocorp manageengine_exchange_reporter_plus 5.7
zohocorp manageengine_exchange_reporter_plus *
CVE-2025-5494

ZohoCorp ManageEngine Endpoint Central was impacted by an improper privilege management issue in the agent setup. This issue affects Endpoint Central: through 11.4.2500.25, through 11.4.2508.13.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9
0fc0942c-577d-436f-ae8e-945763c79b02 3.9 LOW CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L 1.3 2.5

Products Affected

Vendor Product Version
zohocorp manageengine_endpoint_central *
CVE-2025-5496

ZohoCorp ManageEngine Endpoint Central versions earlier than 11.4.2508.14, 11.4.2516.06, and 11.4.2518.01 are affected by an arbitrary file deletion vulnerability in the agent setup component.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
0fc0942c-577d-436f-ae8e-945763c79b02 3.3 LOW CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N 1.8 1.4

Products Affected

Vendor Product Version
zohocorp manageengine_endpoint_central *
CVE-2025-5966

Zohocorp ManageEngine Exchange reporter Plus version 5722 and below are vulnerable to Stored XSS in the Attachments by filename keyword report.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
0fc0942c-577d-436f-ae8e-945763c79b02 8.1 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N 2.8 5.2

Products Affected

Vendor Product Version
zohocorp manageengine_exchange_reporter_plus 5.7
zohocorp manageengine_exchange_reporter_plus *
CVE-2025-6239

Zohocorp ManageEngine Applications Manager versions 176800 and below are vulnerable to information disclosure in File/Directory monitor.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
0fc0942c-577d-436f-ae8e-945763c79b02 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6

Products Affected

Vendor Product Version
zohocorp manageengine_applications_manager *
zohocorp manageengine_applications_manager 17.6
CVE-2025-7429

Zohocorp ManageEngine Exchange Reporter Plus versions 5723 and below are vulnerable to the Stored XSS Vulnerability in the Mails Deleted or Moved report.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
0fc0942c-577d-436f-ae8e-945763c79b02 7.3 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N 2.1 5.2

Products Affected

Vendor Product Version
zohocorp manageengine_exchange_reporter_plus 5.7
zohocorp manageengine_exchange_reporter_plus *
CVE-2025-7430

Zohocorp ManageEngine Exchange Reporter Plus versions 5723 and below are vulnerable to the Stored XSS Vulnerability in the Folder Message Count and Size report.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
0fc0942c-577d-436f-ae8e-945763c79b02 7.3 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N 2.1 5.2

Products Affected

Vendor Product Version
zohocorp manageengine_exchange_reporter_plus 5.7
zohocorp manageengine_exchange_reporter_plus *
CVE-2025-7473

Zohocorp ManageEngine EndPoint Central versions 11.4.2516.1 and prior are vulnerable to XML Injection.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
0fc0942c-577d-436f-ae8e-945763c79b02 5.2 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L 2.0 2.7
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L 1.8 3.4

Products Affected

Vendor Product Version
zohocorp manageengine_endpoint_central *
CVE-2025-7632

Zohocorp ManageEngine Exchange Reporter Plus versions 5723 and below are vulnerable to the Stored XSS Vulnerability in the Public Folders report.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
0fc0942c-577d-436f-ae8e-945763c79b02 7.3 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N 2.1 5.2

Products Affected

Vendor Product Version
zohocorp manageengine_exchange_reporter_plus 5.7
zohocorp manageengine_exchange_reporter_plus *
CVE-2025-7633

Zohocorp ManageEngine Exchange Reporter Plus versions 5723 and below are vulnerable to the Stored XSS Vulnerability in the Custom report.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
0fc0942c-577d-436f-ae8e-945763c79b02 7.3 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N 2.1 5.2

Products Affected

Vendor Product Version
zohocorp manageengine_exchange_reporter_plus 5.7
zohocorp manageengine_exchange_reporter_plus *
CVE-2025-9428

Zohocorp ManageEngine Analytics Plus versions 6171 and prior are vulnerable to authenticated SQL Injection via the key update api.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
0fc0942c-577d-436f-ae8e-945763c79b02 8.3 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L 2.8 5.5
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
zohocorp manageengine_analytics_plus 6.1
zohocorp manageengine_analytics_plus *
CVE-2025-9435

Zohocorp ManageEngine ADManager Plus versions below 7230 are vulnerable to Path Traversal in the User Management module

CVSS 3.x

Source Score Severity Vector Exploitability Impact
0fc0942c-577d-436f-ae8e-945763c79b02 5.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L 2.1 3.4

Products Affected

Vendor Product Version
zohocorp manageengine_admanager_plus *
zohocorp manageengine_admanager_plus 7.2
CVE-2025-9787

Zohocorp ManageEngine Applications Manager versions 177400 and below are vulnerable to Stored Cross-Site Scripting vulnerability in the NOC view.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
0fc0942c-577d-436f-ae8e-945763c79b02 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N 0.9 5.2

Products Affected

Vendor Product Version
zohocorp manageengine_applications_manager 17.7
zohocorp manageengine_applications_manager *
zohocorp manageengine_applications_manager 17.3
CVE-2026-27655

Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Permissions Based on Mailboxes report.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
0fc0942c-577d-436f-ae8e-945763c79b02 7.3 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N 2.1 5.2
nvd@nist.gov 4.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N 1.7 2.7

Products Affected

Vendor Product Version
zohocorp manageengine_exchange_reporter_plus 5.8
zohocorp manageengine_exchange_reporter_plus *
CVE-2026-28703

Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Mails Exchanged Between Users report.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
0fc0942c-577d-436f-ae8e-945763c79b02 7.3 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N 2.1 5.2
nvd@nist.gov 4.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N 1.7 2.7

Products Affected

Vendor Product Version
zohocorp manageengine_exchange_reporter_plus 5.8
zohocorp manageengine_exchange_reporter_plus *
CVE-2026-28754

Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Distribution Lists report.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
0fc0942c-577d-436f-ae8e-945763c79b02 7.3 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N 2.1 5.2

Products Affected

Vendor Product Version
zohocorp manageengine_exchange_reporter_plus 5.8
zohocorp manageengine_exchange_reporter_plus *
CVE-2026-28756

Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Permissions based on Distribution Groups report.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
0fc0942c-577d-436f-ae8e-945763c79b02 7.3 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N 2.1 5.2

Products Affected

Vendor Product Version
zohocorp manageengine_exchange_reporter_plus 5.8
zohocorp manageengine_exchange_reporter_plus *
CVE-2026-3879

Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Equipment Mailbox Details report.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
0fc0942c-577d-436f-ae8e-945763c79b02 7.3 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N 2.1 5.2
nvd@nist.gov 4.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N 1.7 2.7

Products Affected

Vendor Product Version
zohocorp manageengine_exchange_reporter_plus 5.8
zohocorp manageengine_exchange_reporter_plus *
CVE-2026-3880

Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Public Folder Client Permissions report.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
0fc0942c-577d-436f-ae8e-945763c79b02 7.3 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N 2.1 5.2
nvd@nist.gov 4.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N 1.7 2.7

Products Affected

Vendor Product Version
zohocorp manageengine_exchange_reporter_plus 5.8
zohocorp manageengine_exchange_reporter_plus *
CVE-2026-4107

Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Folder Message Count and Size report.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
0fc0942c-577d-436f-ae8e-945763c79b02 7.3 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N 2.1 5.2
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

Products Affected

Vendor Product Version
zohocorp manageengine_exchange_reporter_plus 5.8
zohocorp manageengine_exchange_reporter_plus *
CVE-2026-4108

Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Non-Owner Mailbox Permission report.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N 1.7 2.7
0fc0942c-577d-436f-ae8e-945763c79b02 7.3 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N 2.1 5.2

Products Affected

Vendor Product Version
zohocorp manageengine_exchange_reporter_plus 5.8
zohocorp manageengine_exchange_reporter_plus *