ManageEngine Remote Access Plus
by Zoho
CVEs (11)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-47523 | Cri | 0.69 | 9.8 | 0.71 | Jan 5, 2023 | Zoho ManageEngine Access Manager Plus before 4309, Password Manager Pro before 12210, and PAM360 before 5801 are vulnerable to SQL Injection. | ||
| CVE-2022-43672 | Cri | 0.69 | 9.8 | 0.67 | Nov 12, 2022 | Zoho ManageEngine Password Manager Pro before 12122, PAM360 before 5711, and Access Manager Plus before 4306 allow SQL Injection (in a different software component relative to CVE-2022-43671. | ||
| CVE-2019-11361 | Hig | 0.57 | 8.8 | 0.03 | Mar 19, 2020 | Zoho ManageEngine Remote Access Plus 10.0.258 does not validate user permissions properly, allowing for privilege escalation and eventually a full application takeover. | ||
| CVE-2021-41829 | Hig | 0.49 | 7.5 | 0.03 | Sep 30, 2021 | Zoho ManageEngine Remote Access Plus before 10.1.2121.1 relies on the application's build number to calculate a certain encryption key. | ||
| CVE-2021-41828 | Hig | 0.49 | 7.5 | 0.05 | Sep 30, 2021 | Zoho ManageEngine Remote Access Plus before 10.1.2121.1 has hardcoded credentials associated with resetPWD.xml. | ||
| CVE-2021-41827 | Hig | 0.49 | 7.5 | 0.05 | Sep 30, 2021 | Zoho ManageEngine Remote Access Plus before 10.1.2121.1 has hardcoded credentials for read-only access. The credentials are in the source code that corresponds to the DCBackupRestore JAR archive. | ||
| CVE-2022-26777 | Med | 0.35 | 5.3 | 0.02 | Apr 16, 2022 | Zoho ManageEngine Remote Access Plus before 10.1.2137.15 allows guest users to view license details. | ||
| CVE-2022-26653 | Med | 0.35 | 5.3 | 0.02 | Apr 16, 2022 | Zoho ManageEngine Remote Access Plus before 10.1.2137.15 allows guest users to view domain details (such as the username and GUID of an administrator). | ||
| CVE-2019-16268 | Med | 0.31 | 4.8 | 0.02 | Feb 3, 2021 | Zoho ManageEngine Remote Access Plus 10.0.259 allows HTML injection via the Description field on the Admin - User Administration userMgmt.do?actionToCall=ShowUser screen. | ||
| CVE-2019-20474 | Med | 0.28 | 4.3 | 0.01 | Feb 17, 2020 | An issue was discovered in Zoho ManageEngine Remote Access Plus 10.0.447. The service to test the mail-server configuration suffers from an authorization issue allowing a user with the Guest role (read-only access) to use and abuse it. One of the abuses allows performing network… | ||
| CVE-2020-8422 | Med | 0.28 | 4.3 | 0.01 | Jan 31, 2020 | An authorization issue was discovered in the Credential Manager feature in Zoho ManageEngine Remote Access Plus before 10.0.450. A user with the Guest role can extract the collection of all defined credentials of remote machines: the credential name, credential type, user name,… |
- risk 0.69cvss 9.8epss 0.71
Zoho ManageEngine Access Manager Plus before 4309, Password Manager Pro before 12210, and PAM360 before 5801 are vulnerable to SQL Injection.
- risk 0.69cvss 9.8epss 0.67
Zoho ManageEngine Password Manager Pro before 12122, PAM360 before 5711, and Access Manager Plus before 4306 allow SQL Injection (in a different software component relative to CVE-2022-43671.
- risk 0.57cvss 8.8epss 0.03
Zoho ManageEngine Remote Access Plus 10.0.258 does not validate user permissions properly, allowing for privilege escalation and eventually a full application takeover.
- risk 0.49cvss 7.5epss 0.03
Zoho ManageEngine Remote Access Plus before 10.1.2121.1 relies on the application's build number to calculate a certain encryption key.
- risk 0.49cvss 7.5epss 0.05
Zoho ManageEngine Remote Access Plus before 10.1.2121.1 has hardcoded credentials associated with resetPWD.xml.
- risk 0.49cvss 7.5epss 0.05
Zoho ManageEngine Remote Access Plus before 10.1.2121.1 has hardcoded credentials for read-only access. The credentials are in the source code that corresponds to the DCBackupRestore JAR archive.
- risk 0.35cvss 5.3epss 0.02
Zoho ManageEngine Remote Access Plus before 10.1.2137.15 allows guest users to view license details.
- risk 0.35cvss 5.3epss 0.02
Zoho ManageEngine Remote Access Plus before 10.1.2137.15 allows guest users to view domain details (such as the username and GUID of an administrator).
- risk 0.31cvss 4.8epss 0.02
Zoho ManageEngine Remote Access Plus 10.0.259 allows HTML injection via the Description field on the Admin - User Administration userMgmt.do?actionToCall=ShowUser screen.
- risk 0.28cvss 4.3epss 0.01
An issue was discovered in Zoho ManageEngine Remote Access Plus 10.0.447. The service to test the mail-server configuration suffers from an authorization issue allowing a user with the Guest role (read-only access) to use and abuse it. One of the abuses allows performing network…
- risk 0.28cvss 4.3epss 0.01
An authorization issue was discovered in the Credential Manager feature in Zoho ManageEngine Remote Access Plus before 10.0.450. A user with the Guest role can extract the collection of all defined credentials of remote machines: the credential name, credential type, user name,…