Vendor CVEs
Manageengine
All CVEs
296 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-29081 | 0.07 | — | 0.83 | Apr 28, 2022 | Zoho ManageEngine Access Manager Plus before 4302, Password Manager Pro before 12007, and PAM360 before 5401 are vulnerable to access-control bypass on a few Rest API URLs (for SSOutAction. SSLAction. LicenseMgr. GetProductDetails. GetDashboard. FetchEvents. and Synchronize) via… | |||
| CVE-2020-12116 | 0.07 | — | 0.97 | May 7, 2020 | Zoho ManageEngine OpManager Stable build before 124196 and Released build before 125125 allows an unauthenticated attacker to read arbitrary files on the server by sending a crafted request. | |||
| CVE-2014-5007 | 0.07 | — | 0.37 | Jan 17, 2020 | Directory traversal vulnerability in the agentLogUploader servlet in ZOHO ManageEngine Desktop Central (DC) and Desktop Central Managed Service Providers (MSP) edition before 9 build 90055 allows remote attackers to write to and execute arbitrary files as SYSTEM via a .. (dot… | |||
| CVE-2023-47211 | 0.06 | — | 0.47 | Jan 8, 2024 | A directory traversal vulnerability exists in the uploadMib functionality of ManageEngine OpManager 12.7.258. A specially crafted HTTP request can lead to arbitrary file creation. An attacker can send a malicious MiB file to trigger this vulnerability. | |||
| CVE-2020-13818 | 0.06 | — | 0.37 | Jun 4, 2020 | In Zoho ManageEngine OpManager before 125144, when is used, directory traversal validation can be bypassed. | |||
| CVE-2014-3996 | 0.06 | — | 0.36 | Dec 5, 2014 | SQL injection vulnerability in the LinkViewFetchServlet servlet in ManageEngine Desktop Central (DC) and Desktop Central Managed Service Providers (MSP) edition before 9 build 90043, Password Manager Pro (PMP) and Password Manager Pro Managed Service Providers (MSP) edition… | |||
| CVE-2014-8499 | 0.06 | — | 0.34 | Nov 17, 2014 | Multiple SQL injection vulnerabilities in ManageEngine Password Manager Pro (PMP) and Password Manager Pro Managed Service Providers (MSP) edition before 7.1 build 7105 allow remote authenticated users to execute arbitrary SQL commands via the SEARCH_ALL parameter to (1)… | |||
| CVE-2011-2757 | 0.06 | — | 0.39 | Jul 17, 2011 | Directory traversal vulnerability in FileDownload.jsp in ManageEngine ServiceDesk Plus 8.0.0.12 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the FILENAME parameter. NOTE: this might overlap the US-CERT VU#543310 issue. | |||
| CVE-2023-31099 | 0.05 | — | 0.82 | May 4, 2023 | Zoho ManageEngine OPManager through 126323 allows an authenticated user to achieve remote code execution via probe servers. | |||
| CVE-2023-28342 | 0.05 | — | 0.79 | Apr 5, 2023 | Zoho ManageEngine ADSelfService Plus before 6218 allows anyone to conduct a Denial-of-Service attack via the Mobile App Authentication API. | |||
| CVE-2022-40770 | 0.05 | — | 0.83 | Nov 23, 2022 | Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulnerable to authenticated command injection. This can be exploited by high-privileged users. | |||
| CVE-2021-20081 | 0.05 | — | 0.52 | Jun 10, 2021 | Incomplete List of Disallowed Inputs in ManageEngine ServiceDesk Plus before version 11205 allows a remote, authenticated attacker to execute arbitrary commands with SYSTEM privileges. | |||
| CVE-2020-11946 | 0.05 | — | 0.52 | Apr 20, 2020 | Zoho ManageEngine OpManager before 125120 allows an unauthenticated user to retrieve an API key via a servlet call. | |||
| CVE-2014-5006 | 0.05 | — | 0.25 | Oct 21, 2014 | Directory traversal vulnerability in ZOHO ManageEngine Desktop Central (DC) before 9 build 90055 allows remote attackers to execute arbitrary code via a .. (dot dot) in the fileName parameter to mdm/mdmLogUploader. | |||
| CVE-2011-2755 | 0.05 | — | 0.31 | Jul 17, 2011 | Directory traversal vulnerability in FileDownload.jsp in ManageEngine ServiceDesk Plus 8.0 before Build 8012 allows remote attackers to read arbitrary files via unspecified vectors. | |||
| CVE-2022-37024 | 0.04 | — | 0.78 | Aug 9, 2022 | Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, and OpUtils before 2022-07-29 through 2022-07-30 ( 125658, 126003, 126105, and 126120) allow authenticated users to make database changes that lead to remote code… | |||
| CVE-2021-20131 | 0.04 | — | 0.16 | Oct 13, 2021 | ManageEngine ADManager Plus Build 7111 contains a post-authentication remote code execution vulnerability due to improperly validated file uploads in the Personalization interface. | |||
| CVE-2021-20130 | 0.04 | — | 0.32 | Oct 13, 2021 | ManageEngine ADManager Plus Build 7111 contains a post-authentication remote code execution vulnerability due to improperly validated file uploads in the PasswordExpiry interface. | |||
| CVE-2021-28958 | 0.04 | — | 0.73 | Jun 25, 2021 | Zoho ManageEngine ADSelfService Plus through 6101 is vulnerable to unauthenticated Remote Code Execution while changing the password. | |||
| CVE-2021-20078 | 0.04 | — | 0.60 | Apr 1, 2021 | Manage Engine OpManager builds below 125346 are vulnerable to a remote denial of service vulnerability due to a path traversal issue in spark gateway component. This allows a remote attacker to remotely delete any directory or directories on the OS. | |||
| CVE-2019-8925 | 0.04 | — | 0.12 | May 17, 2019 | An issue was discovered in Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2. An Absolute Path Traversal vulnerability in the Administration zone, in /netflow/servlet/CReportPDFServlet (via the parameter schFilePath), allows remote authenticated users to bypass intended… | |||
| CVE-2019-11469 | 0.04 | — | 0.18 | Apr 23, 2019 | Zoho ManageEngine Applications Manager 12 through 14 allows FaultTemplateOptions.jsp resourceid SQL injection. Subsequently, an unauthenticated user can gain the authority of SYSTEM on the server by uploading a malicious file via the "Execute Program Action(s)" feature. | |||
| CVE-2019-10273 | 0.04 | — | 0.08 | Apr 4, 2019 | Information leakage vulnerability in the /mc login page in ManageEngine ServiceDesk Plus 9.3 software allows authenticated users to enumerate active users. Due to a flaw within the way the authentication is handled, an attacker is able to login and verify any active account. | |||
| CVE-2015-1480 | 0.04 | — | 0.06 | Feb 4, 2015 | ZOHO ManageEngine ServiceDesk Plus (SDP) before 9.0 build 9031 allows remote authenticated users to obtain sensitive ticket information via a (1) getTicketData action to servlet/AJaxServlet or a direct request to (2) swf/flashreport.swf, (3) reports/flash/details.jsp, or (4)… | |||
| CVE-2014-3997 | 0.04 | — | 0.09 | Dec 5, 2014 | SQL injection vulnerability in the MetadataServlet servlet in ManageEngine Password Manager Pro (PMP) and Password Manager Pro Managed Service Providers (MSP) edition 5 through 7 build 7003, IT360 and IT360 Managed Service Providers (MSP) edition before 10.3.3 build 10330, and… | |||
| CVE-2014-5445 | 0.04 | — | 0.98 | Dec 4, 2014 | Multiple absolute path traversal vulnerabilities in ZOHO ManageEngine Netflow Analyzer 8.6 through 10.2 and IT360 10.3 allow remote attackers or remote authenticated users to read arbitrary files via a full pathname in the schFilePath parameter to the (1) CSVServlet or (2)… | |||
| CVE-2014-8498 | 0.04 | — | 0.13 | Nov 17, 2014 | SQL injection vulnerability in BulkEditSearchResult.cc in ManageEngine Password Manager Pro (PMP) and Password Manager Pro Managed Service Providers (MSP) edition before 7.1 build 7105 allows remote authenticated users to execute arbitrary SQL commands via the SEARCH_ALL… | |||
| CVE-2012-4889 | 0.04 | — | 0.08 | Sep 10, 2012 | Multiple cross-site scripting (XSS) vulnerabilities in ManageEngine Firewall Analyzer 7.2 allow remote attackers to inject arbitrary web script or HTML via the (1) subTab or (2) tab parameter to createAnomaly.do; (3) url, (4) subTab, or (5) tab parameter to mindex.do; (6) tab… | |||
| CVE-2007-2429 | 0.04 | — | 0.08 | May 2, 2007 | ManageEngine PasswordManager Pro (PMP) allows remote attackers to obtain administrative access to a database by injecting a certain command line for the mysql program, as demonstrated by the "-port 2345" and "-u root" arguments. NOTE: the provenance of this information is… | |||
| CVE-2024-24409 | 0.03 | — | 0.04 | Nov 8, 2024 | Zohocorp ManageEngine ADManager Plus versions 7203 and prior are vulnerable to Privilege Escalation in the Modify Computers option. | |||
| CVE-2022-43672 | 0.03 | — | 0.67 | Nov 12, 2022 | Zoho ManageEngine Password Manager Pro before 12122, PAM360 before 5711, and Access Manager Plus before 4306 allow SQL Injection (in a different software component relative to CVE-2022-43671. | |||
| CVE-2022-40300 | 0.03 | — | 0.99 | Sep 16, 2022 | Zoho ManageEngine Password Manager Pro through 12120 before 12121, PAM360 through 5550 before 5600, and Access Manager Plus through 4304 before 4305 have multiple SQL injection vulnerabilities. | |||
| CVE-2022-38772 | 0.03 | — | 0.78 | Aug 29, 2022 | Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, and OpUtils before 125658, 126003, 126105, and 126120 allow authenticated users to make database changes that lead to remote code execution in the NMAP feature. | |||
| CVE-2021-20136 | 0.03 | — | 0.10 | Nov 1, 2021 | ManageEngine Log360 Builds < 5235 are affected by an improper access control vulnerability allowing database configuration overwrite. An unauthenticated remote attacker can send a specially crafted message to Log360 to change its backend database to an attacker-controlled… | |||
| CVE-2021-37919 | 0.03 | — | 0.11 | Oct 7, 2021 | Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution. | |||
| CVE-2021-37921 | 0.03 | — | 0.11 | Oct 7, 2021 | Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution. | |||
| CVE-2021-37931 | 0.03 | — | 0.09 | Oct 7, 2021 | Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution. | |||
| CVE-2021-37929 | 0.03 | — | 0.09 | Oct 7, 2021 | Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution. | |||
| CVE-2021-37928 | 0.03 | — | 0.09 | Oct 7, 2021 | Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution. | |||
| CVE-2019-15083 | 0.03 | — | 0.06 | May 14, 2020 | Default installations of Zoho ManageEngine ServiceDesk Plus 10.0 before 10500 are vulnerable to XSS injected by a workstation local administrator. Using the installed program names of the computer as a vector, the local administrator can execute code on the Manage Engine… | |||
| CVE-2019-12538 | 0.03 | — | 0.06 | Jun 5, 2019 | An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SiteLookup.do search field. | |||
| CVE-2019-12541 | 0.03 | — | 0.06 | Jun 5, 2019 | An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SolutionSearch.do searchText parameter. | |||
| CVE-2019-12543 | 0.03 | — | 0.06 | Jun 5, 2019 | An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the PurchaseRequest.do serviceRequestId parameter. | |||
| CVE-2019-12252 | 0.03 | — | 0.08 | May 21, 2019 | In Zoho ManageEngine ServiceDesk Plus through 10.5, users with the lowest privileges (guest) can view an arbitrary post by appending its number to the SDNotify.do?notifyModule=Solution&mode=E-Mail¬ifyTo=SOLFORWARD&id= substring. | |||
| CVE-2019-8927 | 0.03 | — | 0.06 | May 17, 2019 | An issue was discovered in Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2. XSS exists in the Administration zone /netflow/jspui/scheduleConfig.jsp file via these GET parameters: devSrc, emailId, excWeekModify, filterFlag, getFilter, mailReport, mset, popup,… | |||
| CVE-2019-8926 | 0.03 | — | 0.06 | May 17, 2019 | An issue was discovered in Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2. XSS exists in the Administration zone /netflow/jspui/popup1.jsp file via these GET parameters: bussAlert, customDev, and selSource. | |||
| CVE-2018-19374 | 0.03 | — | 0.01 | Apr 30, 2019 | Zoho ManageEngine ADManager Plus 6.6 Build 6657 allows local users to gain privileges (after a reboot) by placing a Trojan horse file into the permissive bin directory. | |||
| CVE-2014-9331 | 0.03 | — | 0.05 | Feb 4, 2015 | Cross-site request forgery (CSRF) vulnerability in ZOHO ManageEngine Desktop Central before 9 build 90130 allows remote attackers to hijack the authentication of administrators for requests that add an administrator account via an addUser action to… | |||
| CVE-2014-6037 | 0.03 | — | 0.84 | Oct 26, 2014 | Directory traversal vulnerability in the agentUpload servlet in ZOHO ManageEngine EventLog Analyzer 9.0 build 9002 and 8.2 build 8020 allows remote attackers to execute arbitrary code by uploading a ZIP file which contains an executable file with .. (dot dot) sequences in its… | |||
| CVE-2013-5092 | 0.03 | — | 0.03 | Jan 29, 2014 | Cross-site scripting (XSS) vulnerability in afa/php/Login.php in AlgoSec Firewall Analyzer 6.1-b86 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO. |
- CVE-2022-29081Apr 28, 2022risk 0.07cvss —epss 0.83
Zoho ManageEngine Access Manager Plus before 4302, Password Manager Pro before 12007, and PAM360 before 5401 are vulnerable to access-control bypass on a few Rest API URLs (for SSOutAction. SSLAction. LicenseMgr. GetProductDetails. GetDashboard. FetchEvents. and Synchronize) via…
- CVE-2020-12116May 7, 2020risk 0.07cvss —epss 0.97
Zoho ManageEngine OpManager Stable build before 124196 and Released build before 125125 allows an unauthenticated attacker to read arbitrary files on the server by sending a crafted request.
- CVE-2014-5007Jan 17, 2020risk 0.07cvss —epss 0.37
Directory traversal vulnerability in the agentLogUploader servlet in ZOHO ManageEngine Desktop Central (DC) and Desktop Central Managed Service Providers (MSP) edition before 9 build 90055 allows remote attackers to write to and execute arbitrary files as SYSTEM via a .. (dot…
- CVE-2023-47211Jan 8, 2024risk 0.06cvss —epss 0.47
A directory traversal vulnerability exists in the uploadMib functionality of ManageEngine OpManager 12.7.258. A specially crafted HTTP request can lead to arbitrary file creation. An attacker can send a malicious MiB file to trigger this vulnerability.
- CVE-2020-13818Jun 4, 2020risk 0.06cvss —epss 0.37
In Zoho ManageEngine OpManager before 125144, when is used, directory traversal validation can be bypassed.
- CVE-2014-3996Dec 5, 2014risk 0.06cvss —epss 0.36
SQL injection vulnerability in the LinkViewFetchServlet servlet in ManageEngine Desktop Central (DC) and Desktop Central Managed Service Providers (MSP) edition before 9 build 90043, Password Manager Pro (PMP) and Password Manager Pro Managed Service Providers (MSP) edition…
- CVE-2014-8499Nov 17, 2014risk 0.06cvss —epss 0.34
Multiple SQL injection vulnerabilities in ManageEngine Password Manager Pro (PMP) and Password Manager Pro Managed Service Providers (MSP) edition before 7.1 build 7105 allow remote authenticated users to execute arbitrary SQL commands via the SEARCH_ALL parameter to (1)…
- CVE-2011-2757Jul 17, 2011risk 0.06cvss —epss 0.39
Directory traversal vulnerability in FileDownload.jsp in ManageEngine ServiceDesk Plus 8.0.0.12 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the FILENAME parameter. NOTE: this might overlap the US-CERT VU#543310 issue.
- CVE-2023-31099May 4, 2023risk 0.05cvss —epss 0.82
Zoho ManageEngine OPManager through 126323 allows an authenticated user to achieve remote code execution via probe servers.
- CVE-2023-28342Apr 5, 2023risk 0.05cvss —epss 0.79
Zoho ManageEngine ADSelfService Plus before 6218 allows anyone to conduct a Denial-of-Service attack via the Mobile App Authentication API.
- CVE-2022-40770Nov 23, 2022risk 0.05cvss —epss 0.83
Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulnerable to authenticated command injection. This can be exploited by high-privileged users.
- CVE-2021-20081Jun 10, 2021risk 0.05cvss —epss 0.52
Incomplete List of Disallowed Inputs in ManageEngine ServiceDesk Plus before version 11205 allows a remote, authenticated attacker to execute arbitrary commands with SYSTEM privileges.
- CVE-2020-11946Apr 20, 2020risk 0.05cvss —epss 0.52
Zoho ManageEngine OpManager before 125120 allows an unauthenticated user to retrieve an API key via a servlet call.
- CVE-2014-5006Oct 21, 2014risk 0.05cvss —epss 0.25
Directory traversal vulnerability in ZOHO ManageEngine Desktop Central (DC) before 9 build 90055 allows remote attackers to execute arbitrary code via a .. (dot dot) in the fileName parameter to mdm/mdmLogUploader.
- CVE-2011-2755Jul 17, 2011risk 0.05cvss —epss 0.31
Directory traversal vulnerability in FileDownload.jsp in ManageEngine ServiceDesk Plus 8.0 before Build 8012 allows remote attackers to read arbitrary files via unspecified vectors.
- CVE-2022-37024Aug 9, 2022risk 0.04cvss —epss 0.78
Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, and OpUtils before 2022-07-29 through 2022-07-30 ( 125658, 126003, 126105, and 126120) allow authenticated users to make database changes that lead to remote code…
- CVE-2021-20131Oct 13, 2021risk 0.04cvss —epss 0.16
ManageEngine ADManager Plus Build 7111 contains a post-authentication remote code execution vulnerability due to improperly validated file uploads in the Personalization interface.
- CVE-2021-20130Oct 13, 2021risk 0.04cvss —epss 0.32
ManageEngine ADManager Plus Build 7111 contains a post-authentication remote code execution vulnerability due to improperly validated file uploads in the PasswordExpiry interface.
- CVE-2021-28958Jun 25, 2021risk 0.04cvss —epss 0.73
Zoho ManageEngine ADSelfService Plus through 6101 is vulnerable to unauthenticated Remote Code Execution while changing the password.
- CVE-2021-20078Apr 1, 2021risk 0.04cvss —epss 0.60
Manage Engine OpManager builds below 125346 are vulnerable to a remote denial of service vulnerability due to a path traversal issue in spark gateway component. This allows a remote attacker to remotely delete any directory or directories on the OS.
- CVE-2019-8925May 17, 2019risk 0.04cvss —epss 0.12
An issue was discovered in Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2. An Absolute Path Traversal vulnerability in the Administration zone, in /netflow/servlet/CReportPDFServlet (via the parameter schFilePath), allows remote authenticated users to bypass intended…
- CVE-2019-11469Apr 23, 2019risk 0.04cvss —epss 0.18
Zoho ManageEngine Applications Manager 12 through 14 allows FaultTemplateOptions.jsp resourceid SQL injection. Subsequently, an unauthenticated user can gain the authority of SYSTEM on the server by uploading a malicious file via the "Execute Program Action(s)" feature.
- CVE-2019-10273Apr 4, 2019risk 0.04cvss —epss 0.08
Information leakage vulnerability in the /mc login page in ManageEngine ServiceDesk Plus 9.3 software allows authenticated users to enumerate active users. Due to a flaw within the way the authentication is handled, an attacker is able to login and verify any active account.
- CVE-2015-1480Feb 4, 2015risk 0.04cvss —epss 0.06
ZOHO ManageEngine ServiceDesk Plus (SDP) before 9.0 build 9031 allows remote authenticated users to obtain sensitive ticket information via a (1) getTicketData action to servlet/AJaxServlet or a direct request to (2) swf/flashreport.swf, (3) reports/flash/details.jsp, or (4)…
- CVE-2014-3997Dec 5, 2014risk 0.04cvss —epss 0.09
SQL injection vulnerability in the MetadataServlet servlet in ManageEngine Password Manager Pro (PMP) and Password Manager Pro Managed Service Providers (MSP) edition 5 through 7 build 7003, IT360 and IT360 Managed Service Providers (MSP) edition before 10.3.3 build 10330, and…
- CVE-2014-5445Dec 4, 2014risk 0.04cvss —epss 0.98
Multiple absolute path traversal vulnerabilities in ZOHO ManageEngine Netflow Analyzer 8.6 through 10.2 and IT360 10.3 allow remote attackers or remote authenticated users to read arbitrary files via a full pathname in the schFilePath parameter to the (1) CSVServlet or (2)…
- CVE-2014-8498Nov 17, 2014risk 0.04cvss —epss 0.13
SQL injection vulnerability in BulkEditSearchResult.cc in ManageEngine Password Manager Pro (PMP) and Password Manager Pro Managed Service Providers (MSP) edition before 7.1 build 7105 allows remote authenticated users to execute arbitrary SQL commands via the SEARCH_ALL…
- CVE-2012-4889Sep 10, 2012risk 0.04cvss —epss 0.08
Multiple cross-site scripting (XSS) vulnerabilities in ManageEngine Firewall Analyzer 7.2 allow remote attackers to inject arbitrary web script or HTML via the (1) subTab or (2) tab parameter to createAnomaly.do; (3) url, (4) subTab, or (5) tab parameter to mindex.do; (6) tab…
- CVE-2007-2429May 2, 2007risk 0.04cvss —epss 0.08
ManageEngine PasswordManager Pro (PMP) allows remote attackers to obtain administrative access to a database by injecting a certain command line for the mysql program, as demonstrated by the "-port 2345" and "-u root" arguments. NOTE: the provenance of this information is…
- CVE-2024-24409Nov 8, 2024risk 0.03cvss —epss 0.04
Zohocorp ManageEngine ADManager Plus versions 7203 and prior are vulnerable to Privilege Escalation in the Modify Computers option.
- CVE-2022-43672Nov 12, 2022risk 0.03cvss —epss 0.67
Zoho ManageEngine Password Manager Pro before 12122, PAM360 before 5711, and Access Manager Plus before 4306 allow SQL Injection (in a different software component relative to CVE-2022-43671.
- CVE-2022-40300Sep 16, 2022risk 0.03cvss —epss 0.99
Zoho ManageEngine Password Manager Pro through 12120 before 12121, PAM360 through 5550 before 5600, and Access Manager Plus through 4304 before 4305 have multiple SQL injection vulnerabilities.
- CVE-2022-38772Aug 29, 2022risk 0.03cvss —epss 0.78
Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, and OpUtils before 125658, 126003, 126105, and 126120 allow authenticated users to make database changes that lead to remote code execution in the NMAP feature.
- CVE-2021-20136Nov 1, 2021risk 0.03cvss —epss 0.10
ManageEngine Log360 Builds < 5235 are affected by an improper access control vulnerability allowing database configuration overwrite. An unauthenticated remote attacker can send a specially crafted message to Log360 to change its backend database to an attacker-controlled…
- CVE-2021-37919Oct 7, 2021risk 0.03cvss —epss 0.11
Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution.
- CVE-2021-37921Oct 7, 2021risk 0.03cvss —epss 0.11
Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution.
- CVE-2021-37931Oct 7, 2021risk 0.03cvss —epss 0.09
Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution.
- CVE-2021-37929Oct 7, 2021risk 0.03cvss —epss 0.09
Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution.
- CVE-2021-37928Oct 7, 2021risk 0.03cvss —epss 0.09
Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution.
- CVE-2019-15083May 14, 2020risk 0.03cvss —epss 0.06
Default installations of Zoho ManageEngine ServiceDesk Plus 10.0 before 10500 are vulnerable to XSS injected by a workstation local administrator. Using the installed program names of the computer as a vector, the local administrator can execute code on the Manage Engine…
- CVE-2019-12538Jun 5, 2019risk 0.03cvss —epss 0.06
An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SiteLookup.do search field.
- CVE-2019-12541Jun 5, 2019risk 0.03cvss —epss 0.06
An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SolutionSearch.do searchText parameter.
- CVE-2019-12543Jun 5, 2019risk 0.03cvss —epss 0.06
An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the PurchaseRequest.do serviceRequestId parameter.
- CVE-2019-12252May 21, 2019risk 0.03cvss —epss 0.08
In Zoho ManageEngine ServiceDesk Plus through 10.5, users with the lowest privileges (guest) can view an arbitrary post by appending its number to the SDNotify.do?notifyModule=Solution&mode=E-Mail¬ifyTo=SOLFORWARD&id= substring.
- CVE-2019-8927May 17, 2019risk 0.03cvss —epss 0.06
An issue was discovered in Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2. XSS exists in the Administration zone /netflow/jspui/scheduleConfig.jsp file via these GET parameters: devSrc, emailId, excWeekModify, filterFlag, getFilter, mailReport, mset, popup,…
- CVE-2019-8926May 17, 2019risk 0.03cvss —epss 0.06
An issue was discovered in Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2. XSS exists in the Administration zone /netflow/jspui/popup1.jsp file via these GET parameters: bussAlert, customDev, and selSource.
- CVE-2018-19374Apr 30, 2019risk 0.03cvss —epss 0.01
Zoho ManageEngine ADManager Plus 6.6 Build 6657 allows local users to gain privileges (after a reboot) by placing a Trojan horse file into the permissive bin directory.
- CVE-2014-9331Feb 4, 2015risk 0.03cvss —epss 0.05
Cross-site request forgery (CSRF) vulnerability in ZOHO ManageEngine Desktop Central before 9 build 90130 allows remote attackers to hijack the authentication of administrators for requests that add an administrator account via an addUser action to…
- CVE-2014-6037Oct 26, 2014risk 0.03cvss —epss 0.84
Directory traversal vulnerability in the agentUpload servlet in ZOHO ManageEngine EventLog Analyzer 9.0 build 9002 and 8.2 build 8020 allows remote attackers to execute arbitrary code by uploading a ZIP file which contains an executable file with .. (dot dot) sequences in its…
- CVE-2013-5092Jan 29, 2014risk 0.03cvss —epss 0.03
Cross-site scripting (XSS) vulnerability in afa/php/Login.php in AlgoSec Firewall Analyzer 6.1-b86 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO.
Page 2 of 6