Manageengine Assetexplorer
by Zohocorp
CVEs (14)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2015-2169 | 0.04 | — | 0.08 | Jun 24, 2015 | Cross-site scripting (XSS) vulnerability in Zoho ManageEngine AssetExplorer 6.1 service pack 6112 allows remote attackers to inject arbitrary web script or HTML via a Publisher registry entry, which is not properly handled when the machine is scanned. | |||
| CVE-2019-19034 | 0.02 | — | 0.06 | Mar 23, 2020 | Zoho ManageEngine Asset Explorer 6.5 does not validate the System Center Configuration Manager (SCCM) database username when dynamically generating a command to schedule scans for SCCM. This allows an attacker to execute arbitrary commands on the AssetExplorer Server with NT… | |||
| CVE-2021-20080 | 0.01 | — | 0.93 | Apr 9, 2021 | Insufficient output sanitization in ManageEngine ServiceDesk Plus before version 11200 and ManageEngine AssetExplorer before version 6800 allows a remote, unauthenticated attacker to conduct persistent cross-site scripting (XSS) attacks by uploading a crafted XML asset file. | |||
| CVE-2023-29443 | 0.00 | — | 0.03 | Apr 26, 2023 | Zoho ManageEngine ServiceDesk Plus before 14105, ServiceDesk Plus MSP before 14200, SupportCenter Plus before 14200, and AssetExplorer before 6989 allow SDAdmin attackers to conduct XXE attacks via a crafted server that sends malformed XML from a Reports integration API endpoint. | |||
| CVE-2020-8838 | 0.00 | — | 0.02 | Mar 23, 2020 | An issue was discovered in Zoho ManageEngine AssetExplorer 6.5. During an upgrade of the Windows agent, it does not validate the source and binary downloaded. This allows an attacker on an adjacent network to execute code with NT AUTHORITY/SYSTEM privileges on the agent machines… | |||
| CVE-2019-12959 | 0.00 | — | 0.03 | Aug 8, 2019 | Server Side Request Forgery (SSRF) exists in Zoho ManageEngine AssetExplorer 6.2.0 and before for the ClientUtilServlet servlet via a URL in a parameter. | |||
| CVE-2019-12994 | 0.00 | — | 0.04 | Aug 8, 2019 | Server Side Request Forgery (SSRF) exists in Zoho ManageEngine AssetExplorer version 6.2.0 for the AJaxServlet servlet via a parameter in a URL. | |||
| CVE-2019-14693 | 0.00 | — | 0.04 | Aug 8, 2019 | Zoho ManageEngine AssetExplorer 6.2.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing license XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. | |||
| CVE-2019-12537 | 0.00 | — | 0.02 | Jul 11, 2019 | An issue was discovered in Zoho ManageEngine AssetExplorer. There is XSS via the SearchN.do search field. | |||
| CVE-2019-12595 | 0.00 | — | 0.02 | Jul 11, 2019 | An issue was discovered in Zoho ManageEngine AssetExplorer. There is XSS via the RCSettings.do rdsName parameter. | |||
| CVE-2019-12596 | 0.00 | — | 0.02 | Jul 11, 2019 | An issue was discovered in Zoho ManageEngine AssetExplorer. There is XSS via SoftwareListView.do with the parameter swType or swComplianceType. | |||
| CVE-2019-12597 | 0.00 | — | 0.02 | Jul 11, 2019 | An issue was discovered in Zoho ManageEngine AssetExplorer. There is XSS via ResourcesAttachments.jsp with the parameter pageName. | |||
| CVE-2015-5061 | 0.00 | — | 0.02 | Jun 24, 2015 | Cross-site scripting (XSS) vulnerability in Zoho ManageEngine AssetExplorer 6.1 service pack 6112 and earlier allows remote authenticated users with permissions to add new vendors to inject arbitrary web script or HTML via the organizationName parameter to VendorDef.do. | |||
| CVE-2012-5956 | 0.00 | — | 0.04 | Dec 11, 2012 | Multiple cross-site scripting (XSS) vulnerabilities in ManageEngine AssetExplorer 5.6 before service pack 5614 allow remote attackers to inject arbitrary web script or HTML via fields in XML asset data to discoveryServlet/WsDiscoveryServlet, as demonstrated by the… |
- CVE-2015-2169Jun 24, 2015risk 0.04cvss —epss 0.08
Cross-site scripting (XSS) vulnerability in Zoho ManageEngine AssetExplorer 6.1 service pack 6112 allows remote attackers to inject arbitrary web script or HTML via a Publisher registry entry, which is not properly handled when the machine is scanned.
- CVE-2019-19034Mar 23, 2020risk 0.02cvss —epss 0.06
Zoho ManageEngine Asset Explorer 6.5 does not validate the System Center Configuration Manager (SCCM) database username when dynamically generating a command to schedule scans for SCCM. This allows an attacker to execute arbitrary commands on the AssetExplorer Server with NT…
- CVE-2021-20080Apr 9, 2021risk 0.01cvss —epss 0.93
Insufficient output sanitization in ManageEngine ServiceDesk Plus before version 11200 and ManageEngine AssetExplorer before version 6800 allows a remote, unauthenticated attacker to conduct persistent cross-site scripting (XSS) attacks by uploading a crafted XML asset file.
- CVE-2023-29443Apr 26, 2023risk 0.00cvss —epss 0.03
Zoho ManageEngine ServiceDesk Plus before 14105, ServiceDesk Plus MSP before 14200, SupportCenter Plus before 14200, and AssetExplorer before 6989 allow SDAdmin attackers to conduct XXE attacks via a crafted server that sends malformed XML from a Reports integration API endpoint.
- CVE-2020-8838Mar 23, 2020risk 0.00cvss —epss 0.02
An issue was discovered in Zoho ManageEngine AssetExplorer 6.5. During an upgrade of the Windows agent, it does not validate the source and binary downloaded. This allows an attacker on an adjacent network to execute code with NT AUTHORITY/SYSTEM privileges on the agent machines…
- CVE-2019-12959Aug 8, 2019risk 0.00cvss —epss 0.03
Server Side Request Forgery (SSRF) exists in Zoho ManageEngine AssetExplorer 6.2.0 and before for the ClientUtilServlet servlet via a URL in a parameter.
- CVE-2019-12994Aug 8, 2019risk 0.00cvss —epss 0.04
Server Side Request Forgery (SSRF) exists in Zoho ManageEngine AssetExplorer version 6.2.0 for the AJaxServlet servlet via a parameter in a URL.
- CVE-2019-14693Aug 8, 2019risk 0.00cvss —epss 0.04
Zoho ManageEngine AssetExplorer 6.2.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing license XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.
- CVE-2019-12537Jul 11, 2019risk 0.00cvss —epss 0.02
An issue was discovered in Zoho ManageEngine AssetExplorer. There is XSS via the SearchN.do search field.
- CVE-2019-12595Jul 11, 2019risk 0.00cvss —epss 0.02
An issue was discovered in Zoho ManageEngine AssetExplorer. There is XSS via the RCSettings.do rdsName parameter.
- CVE-2019-12596Jul 11, 2019risk 0.00cvss —epss 0.02
An issue was discovered in Zoho ManageEngine AssetExplorer. There is XSS via SoftwareListView.do with the parameter swType or swComplianceType.
- CVE-2019-12597Jul 11, 2019risk 0.00cvss —epss 0.02
An issue was discovered in Zoho ManageEngine AssetExplorer. There is XSS via ResourcesAttachments.jsp with the parameter pageName.
- CVE-2015-5061Jun 24, 2015risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in Zoho ManageEngine AssetExplorer 6.1 service pack 6112 and earlier allows remote authenticated users with permissions to add new vendors to inject arbitrary web script or HTML via the organizationName parameter to VendorDef.do.
- CVE-2012-5956Dec 11, 2012risk 0.00cvss —epss 0.04
Multiple cross-site scripting (XSS) vulnerabilities in ManageEngine AssetExplorer 5.6 before service pack 5614 allow remote attackers to inject arbitrary web script or HTML via fields in XML asset data to discoveryServlet/WsDiscoveryServlet, as demonstrated by the…