ManageEngine Application Control Plus
by Zoho
CVEs (13)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-14008 | 0.07 | — | 0.44 | Sep 4, 2020 | Zoho ManageEngine Applications Manager 14710 and before allows an authenticated admin user to upload a vulnerable jar in a specific location, which leads to remote code execution. | |||
| CVE-2020-27995 | 0.03 | — | 0.36 | Oct 29, 2020 | SQL Injection in Zoho ManageEngine Applications Manager 14 before 14560 allows an attacker to execute commands on the server via the MyPage.do template_resid parameter. | |||
| CVE-2020-15394 | 0.03 | — | 0.31 | Sep 25, 2020 | The REST API in Zoho ManageEngine Applications Manager before build 14740 allows an unauthenticated SQL Injection via a crafted request, leading to Remote Code Execution. | |||
| CVE-2021-31813 | 0.02 | — | 0.23 | Jul 1, 2021 | Zoho ManageEngine Applications Manager before 15130 is vulnerable to Stored XSS while importing malicious user details (e.g., a crafted user name) from AD. | |||
| CVE-2020-29658 | 0.01 | — | 0.15 | Mar 5, 2021 | Zoho ManageEngine Application Control Plus before 100523 has an insecure SSL configuration setting for Nginx, leading to Privilege Escalation. | |||
| CVE-2020-15533 | 0.01 | — | 0.11 | Oct 1, 2020 | In Zoho ManageEngine Application Manager 14.7 Build 14730 (before 14684, and between 14689 and 14750), the AlarmEscalation module is vulnerable to unauthenticated SQL Injection attack. | |||
| CVE-2020-15521 | 0.01 | — | 0.07 | Sep 25, 2020 | Zoho ManageEngine Applications Manager before 14 build 14730 has no protection against jsp/header.jsp Cross-site Scripting (XSS) . | |||
| CVE-2022-47577 | 0.00 | — | 0.00 | Dec 20, 2022 | An issue was discovered in the endpoint protection agent in Zoho ManageEngine Device Control Plus 10.1.2228.15. Despite configuring complete restrictions on USB pendrives, USB HDD devices, memory cards, USB connections to mobile devices, etc., it is still possible to bypass the… | |||
| CVE-2020-28679 | 0.00 | — | 0.03 | Jan 10, 2022 | A vulnerability in the showReports module of Zoho ManageEngine Applications Manager before build 14550 allows authenticated attackers to execute a SQL injection via a crafted request. | |||
| CVE-2021-35512 | 0.00 | — | 0.01 | Oct 21, 2021 | An SSRF issue was discovered in Zoho ManageEngine Applications Manager build 15200. | |||
| CVE-2020-27733 | 0.00 | — | 0.04 | Jan 19, 2021 | Zoho ManageEngine Applications Manager before 14 build 14880 allows an authenticated SQL Injection via a crafted Alarmview request. | |||
| CVE-2020-16267 | 0.00 | — | 0.02 | Oct 6, 2020 | Zoho ManageEngine Applications Manager version 14740 and prior allows an authenticated SQL Injection via a crafted jsp request in the RCA module. | |||
| CVE-2020-15927 | 0.00 | — | 0.01 | Oct 6, 2020 | Zoho ManageEngine Applications Manager version 14740 and prior allows an authenticated SQL Injection via a crafted jsp request in the SAP module. |
- CVE-2020-14008Sep 4, 2020risk 0.07cvss —epss 0.44
Zoho ManageEngine Applications Manager 14710 and before allows an authenticated admin user to upload a vulnerable jar in a specific location, which leads to remote code execution.
- CVE-2020-27995Oct 29, 2020risk 0.03cvss —epss 0.36
SQL Injection in Zoho ManageEngine Applications Manager 14 before 14560 allows an attacker to execute commands on the server via the MyPage.do template_resid parameter.
- CVE-2020-15394Sep 25, 2020risk 0.03cvss —epss 0.31
The REST API in Zoho ManageEngine Applications Manager before build 14740 allows an unauthenticated SQL Injection via a crafted request, leading to Remote Code Execution.
- CVE-2021-31813Jul 1, 2021risk 0.02cvss —epss 0.23
Zoho ManageEngine Applications Manager before 15130 is vulnerable to Stored XSS while importing malicious user details (e.g., a crafted user name) from AD.
- CVE-2020-29658Mar 5, 2021risk 0.01cvss —epss 0.15
Zoho ManageEngine Application Control Plus before 100523 has an insecure SSL configuration setting for Nginx, leading to Privilege Escalation.
- CVE-2020-15533Oct 1, 2020risk 0.01cvss —epss 0.11
In Zoho ManageEngine Application Manager 14.7 Build 14730 (before 14684, and between 14689 and 14750), the AlarmEscalation module is vulnerable to unauthenticated SQL Injection attack.
- CVE-2020-15521Sep 25, 2020risk 0.01cvss —epss 0.07
Zoho ManageEngine Applications Manager before 14 build 14730 has no protection against jsp/header.jsp Cross-site Scripting (XSS) .
- CVE-2022-47577Dec 20, 2022risk 0.00cvss —epss 0.00
An issue was discovered in the endpoint protection agent in Zoho ManageEngine Device Control Plus 10.1.2228.15. Despite configuring complete restrictions on USB pendrives, USB HDD devices, memory cards, USB connections to mobile devices, etc., it is still possible to bypass the…
- CVE-2020-28679Jan 10, 2022risk 0.00cvss —epss 0.03
A vulnerability in the showReports module of Zoho ManageEngine Applications Manager before build 14550 allows authenticated attackers to execute a SQL injection via a crafted request.
- CVE-2021-35512Oct 21, 2021risk 0.00cvss —epss 0.01
An SSRF issue was discovered in Zoho ManageEngine Applications Manager build 15200.
- CVE-2020-27733Jan 19, 2021risk 0.00cvss —epss 0.04
Zoho ManageEngine Applications Manager before 14 build 14880 allows an authenticated SQL Injection via a crafted Alarmview request.
- CVE-2020-16267Oct 6, 2020risk 0.00cvss —epss 0.02
Zoho ManageEngine Applications Manager version 14740 and prior allows an authenticated SQL Injection via a crafted jsp request in the RCA module.
- CVE-2020-15927Oct 6, 2020risk 0.00cvss —epss 0.01
Zoho ManageEngine Applications Manager version 14740 and prior allows an authenticated SQL Injection via a crafted jsp request in the SAP module.