ManageEngine Application Control Plus
by Zoho
CVEs (46)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-15927 | Hig | 0.60 | 8.8 | 0.40 | Oct 6, 2020 | Zoho ManageEngine Applications Manager version 14740 and prior allows an authenticated SQL Injection via a crafted jsp request in the SAP module. | ||
| CVE-2020-35765 | Hig | 0.59 | 8.8 | 0.27 | Feb 5, 2021 | doFilter in com.adventnet.appmanager.filter.UriCollector in Zoho ManageEngine Applications Manager through 14930 allows an authenticated SQL Injection via the resourceid parameter to showresource.do. | ||
| CVE-2020-27733 | Hig | 0.58 | 8.8 | 0.09 | Jan 19, 2021 | Zoho ManageEngine Applications Manager before 14 build 14880 allows an authenticated SQL Injection via a crafted Alarmview request. | ||
| CVE-2014-7863 | Hig | 0.58 | 7.5 | 0.83 | Feb 8, 2020 | The FailOverHelperServlet (aka FailServlet) servlet in ZOHO ManageEngine Applications Manager before 11.9 build 11912, OpManager 8 through 11.5 build 11400, and IT360 10.5 and earlier does not properly restrict access, which allows remote attackers and remote authenticated users… | ||
| CVE-2019-19650 | Hig | 0.58 | 8.8 | 0.06 | Dec 11, 2019 | Zoho ManageEngine Applications Manager before 13640 allows a remote authenticated SQL injection via the Agent servlet agentid parameter to the Agent.java process function. | ||
| CVE-2020-28679 | Hig | 0.57 | 8.8 | 0.03 | Jan 10, 2022 | A vulnerability in the showReports module of Zoho ManageEngine Applications Manager before build 14550 allows authenticated attackers to execute a SQL injection via a crafted request. | ||
| CVE-2017-11740 | Hig | 0.57 | 8.8 | 0.03 | May 23, 2019 | In Zoho ManageEngine Application Manager 13.1 Build 13100, the administrative user has the ability to upload files/binaries that can be executed upon the occurrence of an alarm. An attacker can abuse this functionality by uploading a malicious script that can be executed on the… | ||
| CVE-2018-16364 | Hig | 0.54 | 8.1 | 0.15 | Sep 26, 2018 | A serialization vulnerability in Zoho ManageEngine Applications Manager before build 13740 allows for remote code execution on Windows via a payload on an SMB share. | ||
| CVE-2020-14008 | Hig | 0.53 | 7.2 | 0.36 | Sep 4, 2020 | Zoho ManageEngine Applications Manager 14710 and before allows an authenticated admin user to upload a vulnerable jar in a specific location, which leads to remote code execution. | ||
| CVE-2017-11738 | Hig | 0.53 | 8.1 | 0.04 | May 23, 2019 | In Zoho ManageEngine Application Manager prior to 14.6 Build 14660, the 'haid' parameter of the '/auditLogAction.do' module is vulnerable to a Time-based Blind SQL Injection attack. | ||
| CVE-2020-10816 | Hig | 0.49 | 7.5 | 0.05 | Oct 8, 2020 | Zoho ManageEngine Applications Manager 14780 and before allows a remote unauthenticated attacker to register managed servers via AAMRequestProcessor servlet. | ||
| CVE-2023-28341 | Med | 0.48 | 6.1 | 0.99 | Apr 11, 2023 | Stored Cross site scripting (XSS) vulnerability in Zoho ManageEngine Applications Manager through 16340 allows an unauthenticated user to inject malicious javascript on the incorrect login details page. | ||
| CVE-2022-47578 | Hig | 0.46 | 7.1 | 0.01 | Dec 20, 2022 | An issue was discovered in the endpoint protection agent in Zoho ManageEngine Device Control Plus 10.1.2228.15. Despite configuring complete restrictions on USB pendrives, USB HDD devices, memory cards, USB connections to mobile devices, etc., it is still possible to bypass the… | ||
| CVE-2022-47577 | Hig | 0.46 | 7.1 | 0.01 | Dec 20, 2022 | An issue was discovered in the endpoint protection agent in Zoho ManageEngine Device Control Plus 10.1.2228.15. Despite configuring complete restrictions on USB pendrives, USB HDD devices, memory cards, USB connections to mobile devices, etc., it is still possible to bypass the… | ||
| CVE-2023-28340 | Med | 0.43 | 6.5 | 0.03 | Apr 11, 2023 | Zoho ManageEngine Applications Manager through 16320 allows the admin user to conduct an XXE attack. | ||
| CVE-2021-35512 | Med | 0.42 | 6.5 | 0.02 | Oct 21, 2021 | An SSRF issue was discovered in Zoho ManageEngine Applications Manager build 15200. | ||
| CVE-2021-31813 | Med | 0.41 | 5.4 | 0.78 | Jul 1, 2021 | Zoho ManageEngine Applications Manager before 15130 is vulnerable to Stored XSS while importing malicious user details (e.g., a crafted user name) from AD. | ||
| CVE-2023-38333 | Med | 0.40 | 6.1 | 0.02 | Aug 10, 2023 | Zoho ManageEngine Applications Manager through 16530 allows reflected XSS while logged in. | ||
| CVE-2023-29442 | Med | 0.40 | 6.1 | 0.09 | Apr 26, 2023 | Zoho ManageEngine Applications Manager before 16400 allows proxy.html DOM XSS. | ||
| CVE-2020-15521 | Med | 0.40 | 6.1 | 0.02 | Sep 25, 2020 | Zoho ManageEngine Applications Manager before 14 build 14730 has no protection against jsp/header.jsp Cross-site Scripting (XSS) . |
- risk 0.60cvss 8.8epss 0.40
Zoho ManageEngine Applications Manager version 14740 and prior allows an authenticated SQL Injection via a crafted jsp request in the SAP module.
- risk 0.59cvss 8.8epss 0.27
doFilter in com.adventnet.appmanager.filter.UriCollector in Zoho ManageEngine Applications Manager through 14930 allows an authenticated SQL Injection via the resourceid parameter to showresource.do.
- risk 0.58cvss 8.8epss 0.09
Zoho ManageEngine Applications Manager before 14 build 14880 allows an authenticated SQL Injection via a crafted Alarmview request.
- risk 0.58cvss 7.5epss 0.83
The FailOverHelperServlet (aka FailServlet) servlet in ZOHO ManageEngine Applications Manager before 11.9 build 11912, OpManager 8 through 11.5 build 11400, and IT360 10.5 and earlier does not properly restrict access, which allows remote attackers and remote authenticated users…
- risk 0.58cvss 8.8epss 0.06
Zoho ManageEngine Applications Manager before 13640 allows a remote authenticated SQL injection via the Agent servlet agentid parameter to the Agent.java process function.
- risk 0.57cvss 8.8epss 0.03
A vulnerability in the showReports module of Zoho ManageEngine Applications Manager before build 14550 allows authenticated attackers to execute a SQL injection via a crafted request.
- risk 0.57cvss 8.8epss 0.03
In Zoho ManageEngine Application Manager 13.1 Build 13100, the administrative user has the ability to upload files/binaries that can be executed upon the occurrence of an alarm. An attacker can abuse this functionality by uploading a malicious script that can be executed on the…
- risk 0.54cvss 8.1epss 0.15
A serialization vulnerability in Zoho ManageEngine Applications Manager before build 13740 allows for remote code execution on Windows via a payload on an SMB share.
- risk 0.53cvss 7.2epss 0.36
Zoho ManageEngine Applications Manager 14710 and before allows an authenticated admin user to upload a vulnerable jar in a specific location, which leads to remote code execution.
- risk 0.53cvss 8.1epss 0.04
In Zoho ManageEngine Application Manager prior to 14.6 Build 14660, the 'haid' parameter of the '/auditLogAction.do' module is vulnerable to a Time-based Blind SQL Injection attack.
- risk 0.49cvss 7.5epss 0.05
Zoho ManageEngine Applications Manager 14780 and before allows a remote unauthenticated attacker to register managed servers via AAMRequestProcessor servlet.
- risk 0.48cvss 6.1epss 0.99
Stored Cross site scripting (XSS) vulnerability in Zoho ManageEngine Applications Manager through 16340 allows an unauthenticated user to inject malicious javascript on the incorrect login details page.
- risk 0.46cvss 7.1epss 0.01
An issue was discovered in the endpoint protection agent in Zoho ManageEngine Device Control Plus 10.1.2228.15. Despite configuring complete restrictions on USB pendrives, USB HDD devices, memory cards, USB connections to mobile devices, etc., it is still possible to bypass the…
- risk 0.46cvss 7.1epss 0.01
An issue was discovered in the endpoint protection agent in Zoho ManageEngine Device Control Plus 10.1.2228.15. Despite configuring complete restrictions on USB pendrives, USB HDD devices, memory cards, USB connections to mobile devices, etc., it is still possible to bypass the…
- risk 0.43cvss 6.5epss 0.03
Zoho ManageEngine Applications Manager through 16320 allows the admin user to conduct an XXE attack.
- risk 0.42cvss 6.5epss 0.02
An SSRF issue was discovered in Zoho ManageEngine Applications Manager build 15200.
- risk 0.41cvss 5.4epss 0.78
Zoho ManageEngine Applications Manager before 15130 is vulnerable to Stored XSS while importing malicious user details (e.g., a crafted user name) from AD.
- risk 0.40cvss 6.1epss 0.02
Zoho ManageEngine Applications Manager through 16530 allows reflected XSS while logged in.
- risk 0.40cvss 6.1epss 0.09
Zoho ManageEngine Applications Manager before 16400 allows proxy.html DOM XSS.
- risk 0.40cvss 6.1epss 0.02
Zoho ManageEngine Applications Manager before 14 build 14730 has no protection against jsp/header.jsp Cross-site Scripting (XSS) .
Page 2 of 3