Opmanager
by Manageengine
CVEs (33)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-9226 | Med | 0.30 | 4.6 | 0.00 | Jan 30, 2026 | Zohocorp ManageEngine OpManager, NetFlow Analyzer, and OpUtils versions prior to 128582 are affected by a stored cross-site scripting vulnerability in the Subnet Details. | ||
| CVE-2024-38870 | Low | 0.23 | 3.5 | 0.00 | Jul 17, 2024 | Zohocorp ManageEngine OpManager, OpManager Plus, OpManager MSP and OpManager Enterprise Edition versions before 128104, from 128151 before 128238, from 128247 before 128250 are vulnerable to Stored XSS vulnerability in reports module. | ||
| CVE-2020-28653 | 0.10 | — | 0.79 | Feb 3, 2021 | Zoho ManageEngine OpManager Stable build before 125203 (and Released build before 125233) allows Remote Code Execution via the Smart Update Manager (SUM) servlet. | |||
| CVE-2014-7863 | 0.10 | — | 0.83 | Feb 8, 2020 | The FailOverHelperServlet (aka FailServlet) servlet in ZOHO ManageEngine Applications Manager before 11.9 build 11912, OpManager 8 through 11.5 build 11400, and IT360 10.5 and earlier does not properly restrict access, which allows remote attackers and remote authenticated users… | |||
| CVE-2020-12116 | 0.07 | — | 0.97 | May 7, 2020 | Zoho ManageEngine OpManager Stable build before 124196 and Released build before 125125 allows an unauthenticated attacker to read arbitrary files on the server by sending a crafted request. | |||
| CVE-2023-47211 | 0.06 | — | 0.47 | Jan 8, 2024 | A directory traversal vulnerability exists in the uploadMib functionality of ManageEngine OpManager 12.7.258. A specially crafted HTTP request can lead to arbitrary file creation. An attacker can send a malicious MiB file to trigger this vulnerability. | |||
| CVE-2020-13818 | 0.06 | — | 0.37 | Jun 4, 2020 | In Zoho ManageEngine OpManager before 125144, when is used, directory traversal validation can be bypassed. | |||
| CVE-2023-31099 | 0.05 | — | 0.82 | May 4, 2023 | Zoho ManageEngine OPManager through 126323 allows an authenticated user to achieve remote code execution via probe servers. | |||
| CVE-2020-11946 | 0.05 | — | 0.52 | Apr 20, 2020 | Zoho ManageEngine OpManager before 125120 allows an unauthenticated user to retrieve an API key via a servlet call. | |||
| CVE-2022-37024 | 0.04 | — | 0.78 | Aug 9, 2022 | Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, and OpUtils before 2022-07-29 through 2022-07-30 ( 125658, 126003, 126105, and 126120) allow authenticated users to make database changes that lead to remote code… | |||
| CVE-2021-20078 | 0.04 | — | 0.60 | Apr 1, 2021 | Manage Engine OpManager builds below 125346 are vulnerable to a remote denial of service vulnerability due to a path traversal issue in spark gateway component. This allows a remote attacker to remotely delete any directory or directories on the OS. | |||
| CVE-2022-38772 | 0.03 | — | 0.78 | Aug 29, 2022 | Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, and OpUtils before 125658, 126003, 126105, and 126120 allow authenticated users to make database changes that lead to remote code execution in the NMAP feature. | |||
| CVE-2007-3594 | 0.03 | — | 0.06 | Jul 6, 2007 | Multiple cross-site scripting (XSS) vulnerabilities in AdventNet ManageEngine OpManager 6 and 7 allow remote attackers to inject arbitrary web script or HTML via the (1) name parameter in (a) ping.do and (b) traceRoute.do in map/; the (2) reportName, (3) displayName, and (4)… | |||
| CVE-2022-43473 | 0.02 | — | 0.20 | Mar 30, 2023 | A blind XML External Entity (XXE) vulnerability exists in the Add UCS Device functionality of ManageEngine OpManager 12.6.168. A specially crafted XML file can lead to SSRF. An attacker can serve a malicious XML payload to trigger this vulnerability. | |||
| CVE-2022-36923 | 0.02 | — | 0.08 | Aug 10, 2022 | Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, Firewall Analyzer, and OpUtils before 2022-07-27 through 2022-07-28 (125657, 126002, 126104, and 126118) allow unauthenticated attackers to obtain a user's API key, and… | |||
| CVE-2022-29535 | 0.02 | — | 0.93 | May 5, 2022 | Zoho ManageEngine OPManager through 125588 allows SQL Injection via a few default reports. | |||
| CVE-2018-18980 | 0.02 | — | 0.25 | Nov 6, 2018 | An XML External Entity injection (XXE) vulnerability exists in Zoho ManageEngine Network Configuration Manager and OpManager before 12.3.214 via the RequestXML parameter in a /devices/ProcessRequest.do GET request. For example, the attacker can trigger the transmission of local… | |||
| CVE-2020-11527 | 0.01 | — | 0.09 | Apr 4, 2020 | In Zoho ManageEngine OpManager before 12.4.181, an unauthenticated remote attacker can send a specially crafted URI to read arbitrary files. | |||
| CVE-2017-11559 | 0.01 | — | 0.04 | May 23, 2019 | An issue was discovered in ZOHO ManageEngine OpManager 12.2. The 'apiKey' parameter of "/api/json/admin/getmailserversettings" and "/api/json/dashboard/gotoverviewlist" is vulnerable to a Blind SQL Injection attack. | |||
| CVE-2018-20173 | 0.01 | — | 0.24 | Dec 17, 2018 | Zoho ManageEngine OpManager 12.3 before 123238 allows SQL injection via the getGraphData API. |
- risk 0.30cvss 4.6epss 0.00
Zohocorp ManageEngine OpManager, NetFlow Analyzer, and OpUtils versions prior to 128582 are affected by a stored cross-site scripting vulnerability in the Subnet Details.
- risk 0.23cvss 3.5epss 0.00
Zohocorp ManageEngine OpManager, OpManager Plus, OpManager MSP and OpManager Enterprise Edition versions before 128104, from 128151 before 128238, from 128247 before 128250 are vulnerable to Stored XSS vulnerability in reports module.
- CVE-2020-28653Feb 3, 2021risk 0.10cvss —epss 0.79
Zoho ManageEngine OpManager Stable build before 125203 (and Released build before 125233) allows Remote Code Execution via the Smart Update Manager (SUM) servlet.
- CVE-2014-7863Feb 8, 2020risk 0.10cvss —epss 0.83
The FailOverHelperServlet (aka FailServlet) servlet in ZOHO ManageEngine Applications Manager before 11.9 build 11912, OpManager 8 through 11.5 build 11400, and IT360 10.5 and earlier does not properly restrict access, which allows remote attackers and remote authenticated users…
- CVE-2020-12116May 7, 2020risk 0.07cvss —epss 0.97
Zoho ManageEngine OpManager Stable build before 124196 and Released build before 125125 allows an unauthenticated attacker to read arbitrary files on the server by sending a crafted request.
- CVE-2023-47211Jan 8, 2024risk 0.06cvss —epss 0.47
A directory traversal vulnerability exists in the uploadMib functionality of ManageEngine OpManager 12.7.258. A specially crafted HTTP request can lead to arbitrary file creation. An attacker can send a malicious MiB file to trigger this vulnerability.
- CVE-2020-13818Jun 4, 2020risk 0.06cvss —epss 0.37
In Zoho ManageEngine OpManager before 125144, when is used, directory traversal validation can be bypassed.
- CVE-2023-31099May 4, 2023risk 0.05cvss —epss 0.82
Zoho ManageEngine OPManager through 126323 allows an authenticated user to achieve remote code execution via probe servers.
- CVE-2020-11946Apr 20, 2020risk 0.05cvss —epss 0.52
Zoho ManageEngine OpManager before 125120 allows an unauthenticated user to retrieve an API key via a servlet call.
- CVE-2022-37024Aug 9, 2022risk 0.04cvss —epss 0.78
Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, and OpUtils before 2022-07-29 through 2022-07-30 ( 125658, 126003, 126105, and 126120) allow authenticated users to make database changes that lead to remote code…
- CVE-2021-20078Apr 1, 2021risk 0.04cvss —epss 0.60
Manage Engine OpManager builds below 125346 are vulnerable to a remote denial of service vulnerability due to a path traversal issue in spark gateway component. This allows a remote attacker to remotely delete any directory or directories on the OS.
- CVE-2022-38772Aug 29, 2022risk 0.03cvss —epss 0.78
Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, and OpUtils before 125658, 126003, 126105, and 126120 allow authenticated users to make database changes that lead to remote code execution in the NMAP feature.
- CVE-2007-3594Jul 6, 2007risk 0.03cvss —epss 0.06
Multiple cross-site scripting (XSS) vulnerabilities in AdventNet ManageEngine OpManager 6 and 7 allow remote attackers to inject arbitrary web script or HTML via the (1) name parameter in (a) ping.do and (b) traceRoute.do in map/; the (2) reportName, (3) displayName, and (4)…
- CVE-2022-43473Mar 30, 2023risk 0.02cvss —epss 0.20
A blind XML External Entity (XXE) vulnerability exists in the Add UCS Device functionality of ManageEngine OpManager 12.6.168. A specially crafted XML file can lead to SSRF. An attacker can serve a malicious XML payload to trigger this vulnerability.
- CVE-2022-36923Aug 10, 2022risk 0.02cvss —epss 0.08
Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, Firewall Analyzer, and OpUtils before 2022-07-27 through 2022-07-28 (125657, 126002, 126104, and 126118) allow unauthenticated attackers to obtain a user's API key, and…
- CVE-2022-29535May 5, 2022risk 0.02cvss —epss 0.93
Zoho ManageEngine OPManager through 125588 allows SQL Injection via a few default reports.
- CVE-2018-18980Nov 6, 2018risk 0.02cvss —epss 0.25
An XML External Entity injection (XXE) vulnerability exists in Zoho ManageEngine Network Configuration Manager and OpManager before 12.3.214 via the RequestXML parameter in a /devices/ProcessRequest.do GET request. For example, the attacker can trigger the transmission of local…
- CVE-2020-11527Apr 4, 2020risk 0.01cvss —epss 0.09
In Zoho ManageEngine OpManager before 12.4.181, an unauthenticated remote attacker can send a specially crafted URI to read arbitrary files.
- CVE-2017-11559May 23, 2019risk 0.01cvss —epss 0.04
An issue was discovered in ZOHO ManageEngine OpManager 12.2. The 'apiKey' parameter of "/api/json/admin/getmailserversettings" and "/api/json/dashboard/gotoverviewlist" is vulnerable to a Blind SQL Injection attack.
- CVE-2018-20173Dec 17, 2018risk 0.01cvss —epss 0.24
Zoho ManageEngine OpManager 12.3 before 123238 allows SQL injection via the getGraphData API.
Page 1 of 2