VYPR

ManageEngine Application Control Plus

by Zoho

CVEs (46)

  • CVE-2020-15927HigOct 6, 2020
    risk 0.60cvss 8.8epss 0.40

    Zoho ManageEngine Applications Manager version 14740 and prior allows an authenticated SQL Injection via a crafted jsp request in the SAP module.

  • CVE-2020-35765HigFeb 5, 2021
    risk 0.59cvss 8.8epss 0.27

    doFilter in com.adventnet.appmanager.filter.UriCollector in Zoho ManageEngine Applications Manager through 14930 allows an authenticated SQL Injection via the resourceid parameter to showresource.do.

  • CVE-2020-27733HigJan 19, 2021
    risk 0.58cvss 8.8epss 0.09

    Zoho ManageEngine Applications Manager before 14 build 14880 allows an authenticated SQL Injection via a crafted Alarmview request.

  • CVE-2014-7863HigFeb 8, 2020
    risk 0.58cvss 7.5epss 0.83

    The FailOverHelperServlet (aka FailServlet) servlet in ZOHO ManageEngine Applications Manager before 11.9 build 11912, OpManager 8 through 11.5 build 11400, and IT360 10.5 and earlier does not properly restrict access, which allows remote attackers and remote authenticated users…

  • CVE-2019-19650HigDec 11, 2019
    risk 0.58cvss 8.8epss 0.06

    Zoho ManageEngine Applications Manager before 13640 allows a remote authenticated SQL injection via the Agent servlet agentid parameter to the Agent.java process function.

  • CVE-2020-28679HigJan 10, 2022
    risk 0.57cvss 8.8epss 0.03

    A vulnerability in the showReports module of Zoho ManageEngine Applications Manager before build 14550 allows authenticated attackers to execute a SQL injection via a crafted request.

  • CVE-2017-11740HigMay 23, 2019
    risk 0.57cvss 8.8epss 0.03

    In Zoho ManageEngine Application Manager 13.1 Build 13100, the administrative user has the ability to upload files/binaries that can be executed upon the occurrence of an alarm. An attacker can abuse this functionality by uploading a malicious script that can be executed on the…

  • CVE-2018-16364HigSep 26, 2018
    risk 0.54cvss 8.1epss 0.15

    A serialization vulnerability in Zoho ManageEngine Applications Manager before build 13740 allows for remote code execution on Windows via a payload on an SMB share.

  • CVE-2020-14008HigSep 4, 2020
    risk 0.53cvss 7.2epss 0.36

    Zoho ManageEngine Applications Manager 14710 and before allows an authenticated admin user to upload a vulnerable jar in a specific location, which leads to remote code execution.

  • CVE-2017-11738HigMay 23, 2019
    risk 0.53cvss 8.1epss 0.04

    In Zoho ManageEngine Application Manager prior to 14.6 Build 14660, the 'haid' parameter of the '/auditLogAction.do' module is vulnerable to a Time-based Blind SQL Injection attack.

  • CVE-2020-10816HigOct 8, 2020
    risk 0.49cvss 7.5epss 0.05

    Zoho ManageEngine Applications Manager 14780 and before allows a remote unauthenticated attacker to register managed servers via AAMRequestProcessor servlet.

  • CVE-2023-28341MedApr 11, 2023
    risk 0.48cvss 6.1epss 0.99

    Stored Cross site scripting (XSS) vulnerability in Zoho ManageEngine Applications Manager through 16340 allows an unauthenticated user to inject malicious javascript on the incorrect login details page.

  • CVE-2022-47578HigDec 20, 2022
    risk 0.46cvss 7.1epss 0.01

    An issue was discovered in the endpoint protection agent in Zoho ManageEngine Device Control Plus 10.1.2228.15. Despite configuring complete restrictions on USB pendrives, USB HDD devices, memory cards, USB connections to mobile devices, etc., it is still possible to bypass the…

  • CVE-2022-47577HigDec 20, 2022
    risk 0.46cvss 7.1epss 0.01

    An issue was discovered in the endpoint protection agent in Zoho ManageEngine Device Control Plus 10.1.2228.15. Despite configuring complete restrictions on USB pendrives, USB HDD devices, memory cards, USB connections to mobile devices, etc., it is still possible to bypass the…

  • CVE-2023-28340MedApr 11, 2023
    risk 0.43cvss 6.5epss 0.03

    Zoho ManageEngine Applications Manager through 16320 allows the admin user to conduct an XXE attack.

  • CVE-2021-35512MedOct 21, 2021
    risk 0.42cvss 6.5epss 0.02

    An SSRF issue was discovered in Zoho ManageEngine Applications Manager build 15200.

  • CVE-2021-31813MedJul 1, 2021
    risk 0.41cvss 5.4epss 0.78

    Zoho ManageEngine Applications Manager before 15130 is vulnerable to Stored XSS while importing malicious user details (e.g., a crafted user name) from AD.

  • CVE-2023-38333MedAug 10, 2023
    risk 0.40cvss 6.1epss 0.02

    Zoho ManageEngine Applications Manager through 16530 allows reflected XSS while logged in.

  • CVE-2023-29442MedApr 26, 2023
    risk 0.40cvss 6.1epss 0.09

    Zoho ManageEngine Applications Manager before 16400 allows proxy.html DOM XSS.

  • CVE-2020-15521MedSep 25, 2020
    risk 0.40cvss 6.1epss 0.02

    Zoho ManageEngine Applications Manager before 14 build 14730 has no protection against jsp/header.jsp Cross-site Scripting (XSS) .