ManageEngine O365 Manager Plus
by Zoho
CVEs (49)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-37761 | Cri | 0.64 | 9.8 | 0.09 | Sep 27, 2021 | Zoho ManageEngine ADManager Plus version 7110 and prior is vulnerable to unrestricted file upload, leading to remote code execution. | ||
| CVE-2021-37927 | Cri | 0.64 | 9.8 | 0.02 | Sep 22, 2021 | Zoho ManageEngine ADManager Plus version 7110 and prior allows account takeover via SSO. | ||
| CVE-2021-33911 | Cri | 0.64 | 9.8 | 0.05 | Jul 17, 2021 | Zoho ManageEngine ADManager Plus before 7110 allows remote code execution. | ||
| CVE-2022-38772 | Hig | 0.63 | 8.8 | 0.78 | Aug 29, 2022 | Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, and OpUtils before 125658, 126003, 126105, and 126120 allow authenticated users to make database changes that lead to remote code execution in the NMAP feature. | ||
| CVE-2022-37024 | Hig | 0.63 | 8.8 | 0.78 | Aug 10, 2022 | Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, and OpUtils before 2022-07-29 through 2022-07-30 ( 125658, 126003, 126105, and 126120) allow authenticated users to make database changes that lead to remote code… | ||
| CVE-2023-29084 | Hig | 0.58 | 7.2 | 0.98 | Apr 13, 2023 | Zoho ManageEngine ADManager Plus before 7181 allows for authenticated users to exploit command injection via Proxy settings. | ||
| CVE-2017-17552 | Hig | 0.57 | 8.8 | 0.02 | Feb 7, 2018 | /LoadFrame in Zoho ManageEngine AD Manager Plus build 6590 - 6613 allows attackers to conduct URL Redirection attacks via the src parameter, resulting in a bypass of CSRF protection, or potentially masquerading a malicious URL as trusted. | ||
| CVE-2023-48646 | Hig | 0.53 | 7.2 | 0.82 | Nov 22, 2023 | Zoho ManageEngine RecoveryManager Plus before 6070 allows admin users to execute arbitrary commands via proxy settings. | ||
| CVE-2021-44652 | Hig | 0.51 | 7.8 | 0.03 | Jan 12, 2022 | Zoho ManageEngine O365 Manager Plus before Build 4416 allows remote code execution via BCP file overwrite through the ChangeDBAPI component. | ||
| CVE-2022-36923 | Hig | 0.49 | 7.5 | 0.08 | Aug 10, 2022 | Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, Firewall Analyzer, and OpUtils before 2022-07-27 through 2022-07-28 (125657, 126002, 126104, and 126118) allow unauthenticated attackers to obtain a user's API key, and… | ||
| CVE-2018-19374 | Hig | 0.49 | 7.0 | 0.01 | Apr 30, 2019 | Zoho ManageEngine ADManager Plus 6.6 Build 6657 allows local users to gain privileges (after a reboot) by placing a Trojan horse file into the permissive bin directory. | ||
| CVE-2023-38743 | Hig | 0.48 | 7.2 | 0.12 | Sep 11, 2023 | Zoho ManageEngine ADManager Plus before Build 7200 allows admin users to execute commands on the host machine. | ||
| CVE-2019-12876 | Hig | 0.48 | 7.3 | 0.05 | Jul 17, 2019 | Zoho ManageEngine ADManager Plus 6.6.5, ADSelfService Plus 5.7, and DesktopCentral 10.0.380 have Insecure Permissions, leading to Privilege Escalation from low level privileges to System. | ||
| CVE-2022-42904 | Hig | 0.47 | 7.2 | 0.08 | Nov 18, 2022 | Zoho ManageEngine ADManager Plus through 7151 allows authenticated admin users to execute the commands in proxy settings. | ||
| CVE-2021-44650 | Hig | 0.47 | 7.2 | 0.05 | Jan 12, 2022 | Zoho ManageEngine M365 Manager Plus before Build 4419 allows remote command execution when updating proxy settings through the Admin ProxySettings and Tenant ProxySettings components. | ||
| CVE-2023-31492 | Med | 0.43 | 6.5 | 0.05 | Aug 17, 2023 | Zoho ManageEngine ADManager Plus version 7182 and prior disclosed the default passwords for the account restoration of unauthorized domains to the authenticated users. | ||
| CVE-2018-15740 | Med | 0.43 | 6.1 | 0.06 | Aug 28, 2018 | Zoho ManageEngine ADManager Plus 6.5.7 has XSS on the "Workflow Delegation" "Requester Roles" screen. | ||
| CVE-2018-15608 | Med | 0.43 | 6.1 | 0.02 | Aug 28, 2018 | Zoho ManageEngine ADManager Plus 6.5.7 allows HTML Injection on the "AD Delegation" "Help Desk Technicians" screen. | ||
| CVE-2023-38332 | Med | 0.42 | 6.5 | 0.03 | Aug 4, 2023 | Zoho ManageEngine ADManager Plus through 7201 allow authenticated users to take over another user's account via sensitive information disclosure. | ||
| CVE-2021-36772 | Med | 0.40 | 6.1 | 0.01 | Jul 17, 2021 | Zoho ManageEngine ADManager Plus before 7110 allows stored XSS. |
- risk 0.64cvss 9.8epss 0.09
Zoho ManageEngine ADManager Plus version 7110 and prior is vulnerable to unrestricted file upload, leading to remote code execution.
- risk 0.64cvss 9.8epss 0.02
Zoho ManageEngine ADManager Plus version 7110 and prior allows account takeover via SSO.
- risk 0.64cvss 9.8epss 0.05
Zoho ManageEngine ADManager Plus before 7110 allows remote code execution.
- risk 0.63cvss 8.8epss 0.78
Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, and OpUtils before 125658, 126003, 126105, and 126120 allow authenticated users to make database changes that lead to remote code execution in the NMAP feature.
- risk 0.63cvss 8.8epss 0.78
Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, and OpUtils before 2022-07-29 through 2022-07-30 ( 125658, 126003, 126105, and 126120) allow authenticated users to make database changes that lead to remote code…
- risk 0.58cvss 7.2epss 0.98
Zoho ManageEngine ADManager Plus before 7181 allows for authenticated users to exploit command injection via Proxy settings.
- risk 0.57cvss 8.8epss 0.02
/LoadFrame in Zoho ManageEngine AD Manager Plus build 6590 - 6613 allows attackers to conduct URL Redirection attacks via the src parameter, resulting in a bypass of CSRF protection, or potentially masquerading a malicious URL as trusted.
- risk 0.53cvss 7.2epss 0.82
Zoho ManageEngine RecoveryManager Plus before 6070 allows admin users to execute arbitrary commands via proxy settings.
- risk 0.51cvss 7.8epss 0.03
Zoho ManageEngine O365 Manager Plus before Build 4416 allows remote code execution via BCP file overwrite through the ChangeDBAPI component.
- risk 0.49cvss 7.5epss 0.08
Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, Firewall Analyzer, and OpUtils before 2022-07-27 through 2022-07-28 (125657, 126002, 126104, and 126118) allow unauthenticated attackers to obtain a user's API key, and…
- risk 0.49cvss 7.0epss 0.01
Zoho ManageEngine ADManager Plus 6.6 Build 6657 allows local users to gain privileges (after a reboot) by placing a Trojan horse file into the permissive bin directory.
- risk 0.48cvss 7.2epss 0.12
Zoho ManageEngine ADManager Plus before Build 7200 allows admin users to execute commands on the host machine.
- risk 0.48cvss 7.3epss 0.05
Zoho ManageEngine ADManager Plus 6.6.5, ADSelfService Plus 5.7, and DesktopCentral 10.0.380 have Insecure Permissions, leading to Privilege Escalation from low level privileges to System.
- risk 0.47cvss 7.2epss 0.08
Zoho ManageEngine ADManager Plus through 7151 allows authenticated admin users to execute the commands in proxy settings.
- risk 0.47cvss 7.2epss 0.05
Zoho ManageEngine M365 Manager Plus before Build 4419 allows remote command execution when updating proxy settings through the Admin ProxySettings and Tenant ProxySettings components.
- risk 0.43cvss 6.5epss 0.05
Zoho ManageEngine ADManager Plus version 7182 and prior disclosed the default passwords for the account restoration of unauthorized domains to the authenticated users.
- risk 0.43cvss 6.1epss 0.06
Zoho ManageEngine ADManager Plus 6.5.7 has XSS on the "Workflow Delegation" "Requester Roles" screen.
- risk 0.43cvss 6.1epss 0.02
Zoho ManageEngine ADManager Plus 6.5.7 allows HTML Injection on the "AD Delegation" "Help Desk Technicians" screen.
- risk 0.42cvss 6.5epss 0.03
Zoho ManageEngine ADManager Plus through 7201 allow authenticated users to take over another user's account via sensitive information disclosure.
- risk 0.40cvss 6.1epss 0.01
Zoho ManageEngine ADManager Plus before 7110 allows stored XSS.
Page 2 of 3