VYPR

Vendor CVEs

Manageengine

All CVEs

296 total · sorted by risk
  • CVE-2012-4891Sep 10, 2012
    risk 0.03cvss epss 0.04

    Cross-site scripting (XSS) vulnerability in fw/index2.do in ManageEngine Firewall Analyzer 7.2 allows remote attackers to inject arbitrary web script or HTML via the url parameter, a different vector than CVE-2012-4889. NOTE: the provenance of this information is unknown; the…

  • CVE-2012-2585Aug 12, 2012
    risk 0.03cvss epss 0.01

    Multiple cross-site scripting (XSS) vulnerabilities in ManageEngine ServiceDesk Plus 8.1 allow remote attackers to inject arbitrary web script or HTML via an e-mail message body with (1) a SCRIPT element, (2) a crafted Cascading Style Sheets (CSS) expression property, (3) a CSS…

  • CVE-2012-1049Feb 13, 2012
    risk 0.03cvss epss 0.02

    Multiple cross-site scripting (XSS) vulnerabilities in ManageEngine ADManager Plus 5.2 Build 5210 allow remote attackers to inject arbitrary web script or HTML via the (1) domainName parameter to jsp/AddDC.jsp or (2) operation parameter to DomainConfig.do.

  • CVE-2010-1044Mar 23, 2010
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in Login.do in ManageEngine OpUtils 5.0 allows remote attackers to execute arbitrary SQL commands via the isHttpPort parameter.

  • CVE-2008-0474Jan 29, 2008
    risk 0.03cvss epss 0.01

    Multiple cross-site scripting (XSS) vulnerabilities in ManageEngine Applications Manager 8.1 build 8100 allow remote attackers to inject arbitrary web script or HTML via the (1) showlink parameter to jsp/DiscoveryProfiles.jsp; the (2) attributeIDs, (3) attributeToSelect, (4)…

  • CVE-2007-3593Jul 6, 2007
    risk 0.03cvss epss 0.04

    Multiple cross-site scripting (XSS) vulnerabilities in ManageEngine NetFlow Analyzer 5 allow remote attackers to inject arbitrary web script or HTML via the (1) alpha parameter in (a) netflow/jspui/applicationList.jsp, the (2) task parameter in (b) netflow/jspui/appConfig.jsp,…

  • CVE-2007-3594Jul 6, 2007
    risk 0.03cvss epss 0.06

    Multiple cross-site scripting (XSS) vulnerabilities in AdventNet ManageEngine OpManager 6 and 7 allow remote attackers to inject arbitrary web script or HTML via the (1) name parameter in (a) ping.do and (b) traceRoute.do in map/; the (2) reportName, (3) displayName, and (4)…

  • CVE-2005-3522Nov 6, 2005
    risk 0.03cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in index.jsp in ManageEngine Netflow Analyzer 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the grDisp parameter.

  • CVE-2024-0252Jan 11, 2024
    risk 0.02cvss epss 0.08

    ManageEngine ADSelfService Plus versions 6401 and below are vulnerable to the remote code execution due to the improper handling in the load balancer component. Authentication is required in order to exploit this vulnerability.

  • CVE-2022-43473Mar 30, 2023
    risk 0.02cvss epss 0.20

    A blind XML External Entity (XXE) vulnerability exists in the Add UCS Device functionality of ManageEngine OpManager 12.6.168. A specially crafted XML file can lead to SSRF. An attacker can serve a malicious XML payload to trigger this vulnerability.

  • CVE-2022-36923Aug 10, 2022
    risk 0.02cvss epss 0.08

    Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, Firewall Analyzer, and OpUtils before 2022-07-27 through 2022-07-28 (125657, 126002, 126104, and 126118) allow unauthenticated attackers to obtain a user's API key, and…

  • CVE-2022-23050May 24, 2022
    risk 0.02cvss epss 0.05

    ManageEngine AppManager15 (Build No:15510) allows an authenticated admin user to upload a DLL file to perform a DLL hijack attack inside the 'working' folder through the 'Upload Files / Binaries' functionality.

  • CVE-2022-29535May 5, 2022
    risk 0.02cvss epss 0.93

    Zoho ManageEngine OPManager through 125588 allows SQL Injection via a few default reports.

  • CVE-2022-24681Apr 7, 2022
    risk 0.02cvss epss 0.04

    Zoho ManageEngine ADSelfService Plus before 6121 allows XSS via the welcome name attribute to the Reset Password, Unlock Account, or User Must Change Password screen.

  • CVE-2020-24743Nov 3, 2021
    risk 0.02cvss epss 0.03

    An issue was found in /showReports.do Zoho ManageEngine Applications Manager up to 14550, allows attackers to gain escalated privileges via the resourceid parameter.

  • CVE-2021-37922Oct 7, 2021
    risk 0.02cvss epss 0.02

    Zoho ManageEngine ADManager Plus version 7110 and prior is vulnerable to path traversal which allows copying of files from one directory to another.

  • CVE-2021-28959Apr 30, 2021
    risk 0.02cvss epss 0.17

    Zoho ManageEngine Eventlog Analyzer through 12147 is vulnerable to unauthenticated directory traversal via an entry in a ZIP archive. This leads to remote code execution.

  • CVE-2020-10816Oct 8, 2020
    risk 0.02cvss epss 0.05

    Zoho ManageEngine Applications Manager 14780 and before allows a remote unauthenticated attacker to register managed servers via AAMRequestProcessor servlet.

  • CVE-2019-12196Jun 5, 2019
    risk 0.02cvss epss 0.69

    A SQL injection vulnerability in /client/api/json/v2/nfareports/compareReport in Zoho ManageEngine NetFlow Analyzer 12.3 allows attackers to execute arbitrary SQL commands via the DeviceID parameter.

  • CVE-2018-18980Nov 6, 2018
    risk 0.02cvss epss 0.25

    An XML External Entity injection (XXE) vulnerability exists in Zoho ManageEngine Network Configuration Manager and OpManager before 12.3.214 via the RequestXML parameter in a /devices/ProcessRequest.do GET request. For example, the attacker can trigger the transmission of local…

  • CVE-2014-9371Dec 16, 2014
    risk 0.02cvss epss 0.19

    The NativeAppServlet in ManageEngine Desktop Central MSP before 90075 allows remote attackers to execute arbitrary code via a crafted JSON object.

  • CVE-2025-5966Jun 26, 2025
    risk 0.01cvss epss 0.01

    Zohocorp ManageEngine Exchange reporter Plus version 5722 and below are vulnerable to Stored XSS in the Attachments by filename keyword report.

  • CVE-2025-5366Jun 26, 2025
    risk 0.01cvss epss 0.01

    Zohocorp ManageEngine Exchange reporter Plus version 5722 and below are vulnerable to Stored XSS in the Folder-wise read mails with subject report.

  • CVE-2025-36527May 23, 2025
    risk 0.01cvss epss 0.20

    Zohocorp ManageEngine ADAudit Plus versions below 8511 are vulnerable to SQL injection while exporting reports.

  • CVE-2024-5471Jul 17, 2024
    risk 0.01cvss epss 0.02

    Zohocorp ManageEngine DDI Central versions 4001 and prior were vulnerable to agent takeover vulnerability due to the hard-coded sensitive keys.

  • CVE-2023-48792Feb 2, 2024
    risk 0.01cvss epss 0.07

    Zoho ManageEngine ADAudit Plus through 7250 is vulnerable to SQL Injection in the report export option.

  • CVE-2023-26601Mar 6, 2023
    risk 0.01cvss epss 0.34

    Zoho ManageEngine ServiceDesk Plus through 14104, Asset Explorer through 6987, ServiceDesk Plus MSP before 14000, and Support Center Plus before 14000 allow Denial-of-Service (DoS).

  • CVE-2022-28987May 20, 2022
    risk 0.01cvss epss 0.10

    Zoho ManageEngine ADSelfService Plus before 6202 allows attackers to perform username enumeration via a crafted POST request to /ServletAPI/accounts/login.

  • CVE-2021-20147Jan 3, 2022
    risk 0.01cvss epss 0.07

    ManageEngine ADSelfService Plus below build 6116 contains an observable response discrepancy in the UMCP operation of the ChangePasswordAPI. This allows an unauthenticated remote attacker to determine whether a Windows domain user exists.

  • CVE-2021-37419Sep 21, 2021
    risk 0.01cvss epss 0.02

    Zoho ManageEngine ADSelfService Plus before 6112 is vulnerable to SSRF.

  • CVE-2021-37424Sep 21, 2021
    risk 0.01cvss epss 0.05

    ManageEngine ADSelfService Plus before 6112 is vulnerable to domain user account takeover.

  • CVE-2021-37421Aug 30, 2021
    risk 0.01cvss epss 0.02

    Zoho ManageEngine ADSelfService Plus 6103 and prior is vulnerable to admin portal access-restriction bypass.

  • CVE-2021-33256Aug 9, 2021
    risk 0.01cvss epss 0.79

    A CSV injection vulnerability on the login panel of ManageEngine ADSelfService Plus Version: 6.1 Build No: 6101 can be exploited by an unauthenticated user. The j_username parameter seems to be vulnerable and a reverse shell could be obtained if a privileged user exports "User…

  • CVE-2021-20080Apr 9, 2021
    risk 0.01cvss epss 0.93

    Insufficient output sanitization in ManageEngine ServiceDesk Plus before version 11200 and ManageEngine AssetExplorer before version 6800 allows a remote, unauthenticated attacker to conduct persistent cross-site scripting (XSS) attacks by uploading a crafted XML asset file.

  • CVE-2020-24786Aug 31, 2020
    risk 0.01cvss epss 0.13

    An issue was discovered in Zoho ManageEngine Exchange Reporter Plus before build number 5510, AD360 before build number 4228, ADSelfService Plus before build number 5817, DataSecurity Plus before build number 6033, RecoverManager Plus before build number 6017, EventLog Analyzer…

  • CVE-2020-11527Apr 4, 2020
    risk 0.01cvss epss 0.09

    In Zoho ManageEngine OpManager before 12.4.181, an unauthenticated remote attacker can send a specially crafted URI to read arbitrary files.

  • CVE-2020-8509Mar 30, 2020
    risk 0.01cvss epss 0.10

    Zoho ManageEngine Desktop Central before 10.0.483 allows unauthenticated users to access PDFGenerationServlet, leading to sensitive information disclosure.

  • CVE-2017-11559May 23, 2019
    risk 0.01cvss epss 0.04

    An issue was discovered in ZOHO ManageEngine OpManager 12.2. The 'apiKey' parameter of "/api/json/admin/getmailserversettings" and "/api/json/dashboard/gotoverviewlist" is vulnerable to a Blind SQL Injection attack.

  • CVE-2019-11678May 2, 2019
    risk 0.01cvss epss 0.09

    The "default reports" feature in Zoho ManageEngine Firewall Analyzer before 12.3 Build 123218 is vulnerable to SQL Injection.

  • CVE-2018-20173Dec 17, 2018
    risk 0.01cvss epss 0.24

    Zoho ManageEngine OpManager 12.3 before 123238 allows SQL injection via the getGraphData API.

  • CVE-2018-19118Dec 13, 2018
    risk 0.01cvss epss 0.07

    Zoho ManageEngine ADAudit before 5.1 build 5120 allows remote attackers to cause a denial of service (stack-based buffer overflow) via the 'Domain Name' field when adding a new domain.

  • CVE-2018-18949Nov 5, 2018
    risk 0.01cvss epss 0.24

    Zoho ManageEngine OpManager 12.3 before 123222 has SQL Injection via Mail Server settings.

  • CVE-2014-9373Dec 16, 2014
    risk 0.01cvss epss 0.06

    Directory traversal vulnerability in the CollectorConfInfoServlet servlet in ManageEngine NetFlow Analyzer allows remote attackers to execute arbitrary code via a .. (dot dot) in the filename.

  • CVE-2026-11374Jun 23, 2026
    risk 0.00cvss epss 0.01

    In ManageEngine ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus, the SSO tickets generated to authenticate that session could be predicted by an unauthenticated user, leading to account takeover.

  • CVE-2025-12381Dec 9, 2025
    risk 0.00cvss epss 0.00

    Improper Privilege Management vulnerability in AlgoSec Firewall Analyzer on Linux, 64 bit allows Privilege Escalation, Parameter Injection. A local user with access to the command line may escalate their privileges by abusing the parameters of a command that is approved in the…

  • CVE-2025-12382Nov 12, 2025
    risk 0.00cvss epss 0.00

    Improper Limitation of a Pathname 'Path Traversal') vulnerability in Algosec Firewall Analyzer on Linux, 64 bit allows an authenticated user to upload files to a restricted directory leading to code injection. This issue affects Algosec Firewall Analyzer: A33.0 (up to build…

  • CVE-2025-5343Oct 30, 2025
    risk 0.00cvss epss 0.00

    Zohocorp ManageEngine Exchange Reporter Plus versions through 5721 are vulnerable to Stored Cross Site Scripting in the Instant Search option.

  • CVE-2025-27930Jul 23, 2025
    risk 0.00cvss epss 0.00

    Zohocorp ManageEngine Applications Manager versions 176600 and prior are vulnerable to stored cross-site scripting in the File/Directory monitor.

  • CVE-2025-41444Jun 9, 2025
    risk 0.00cvss epss 0.01

    Zohocorp ManageEngine ADAudit Plus versions 8510 and prior are vulnerable to authenticated SQL injection in the alerts module.

  • CVE-2025-36528Jun 9, 2025
    risk 0.00cvss epss 0.01

    Zohocorp ManageEngine ADAudit Plus versions 8510 and prior are vulnerable to authenticated SQL injection in Service Account Auditing reports.

Page 3 of 6