VYPR

Vendor CVEs

Manageengine

All CVEs

296 total · sorted by risk
  • CVE-2023-49332May 20, 2024
    risk 0.00cvss epss 0.03

    Zoho ManageEngine ADAudit Plus versions below 7271 allows SQL injection while adding file shares.

  • CVE-2023-49331May 20, 2024
    risk 0.00cvss epss 0.03

    Zoho ManageEngine ADAudit Plus versions below 7271 allows SQL injection in the aggregate reports search option.

  • CVE-2024-27312May 20, 2024
    risk 0.00cvss epss 0.01

    Zohocorp ManageEngine PAM360 version 6601 is vulnerable to authorization vulnerability which allows a low-privileged user to perform admin actions. Note: This vulnerability affects only the PAM360 6600 version. No other versions are applicable to this vulnerability.

  • CVE-2023-49330May 20, 2024
    risk 0.00cvss epss 0.02

    Zoho ManageEngine ADAudit Plus versions below 7271 allows SQL Injection while getting aggregate report data.

  • CVE-2024-21775Feb 16, 2024
    risk 0.00cvss epss 0.05

    Zoho ManageEngine Exchange Reporter Plus versions 5714 and below are vulnerable to the Authenticated SQL injection in report exporting feature.

  • CVE-2023-46596Feb 15, 2024
    risk 0.00cvss epss 0.00

    Improper input validation in Algosec FireFlow VisualFlow workflow editor via Name, Description and Configuration File field in version A32.20, A32.50, A32.60 permits an attacker to initiate an XSS attack by injecting malicious executable scripts into the application's code.…

  • CVE-2024-0269Feb 2, 2024
    risk 0.00cvss epss 0.05

    ManageEngine ADAudit Plus versions 7270 and below are vulnerable to the Authenticated SQL injection in File-Summary DrillDown. This issue has been fixed and released in version 7271.

  • CVE-2024-0253Feb 2, 2024
    risk 0.00cvss epss 0.05

    ManageEngine ADAudit Plus versions 7270 and below are vulnerable to the Authenticated SQL injection in home Graph-Data.

  • CVE-2023-6105Nov 15, 2023
    risk 0.00cvss epss 0.01

    An information disclosure vulnerability exists in multiple ManageEngine products that can result in encryption keys being exposed. A low-privileged OS user with access to the host where an affected ManageEngine product is installed can view and use the exposed key to decrypt…

  • CVE-2023-4769Nov 3, 2023
    risk 0.00cvss epss 0.03

    A SSRF vulnerability has been found in ManageEngine Desktop Central affecting version 9.1.0, specifically the /smtpConfig.do component. This vulnerability could allow an authenticated attacker to launch targeted attacks, such as a cross-port attack, service enumeration and other…

  • CVE-2023-4768Nov 3, 2023
    risk 0.00cvss epss 0.03

    A CRLF injection vulnerability has been found in ManageEngine Desktop Central affecting version 9.1.0. This vulnerability could allow a remote attacker to inject arbitrary HTTP headers and perform HTTP response splitting attacks via the fileName parameter in…

  • CVE-2023-4767Nov 3, 2023
    risk 0.00cvss epss 0.03

    A CRLF injection vulnerability has been found in ManageEngine Desktop Central affecting version 9.1.0. This vulnerability could allow a remote attacker to inject arbitrary HTTP headers and perform HTTP response splitting attacks via the fileName parameter in…

  • CVE-2023-41356Nov 3, 2023
    risk 0.00cvss epss 0.01

    NCSIST ManageEngine Mobile Device Manager(MDM) APP's special function has a path traversal vulnerability. An unauthenticated remote attacker can exploit this vulnerability to bypass authentication and read arbitrary system files.

  • CVE-2023-41344Nov 3, 2023
    risk 0.00cvss epss 0.01

    NCSIST ManageEngine Mobile Device Manager(MDM) APP's special function has a path traversal vulnerability. An unauthenticated remote attacker can exploit this vulnerability to bypass authentication and read arbitrary system files.

  • CVE-2023-35719Sep 6, 2023
    risk 0.00cvss epss 0.26

    ManageEngine ADSelfService Plus GINA Client Insufficient Verification of Data Authenticity Authentication Bypass Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of ManageEngine ADSelfService Plus.…

  • CVE-2023-35785Aug 28, 2023
    risk 0.00cvss epss 0.02

    Zoho ManageEngine Active Directory 360 versions 4315 and below, ADAudit Plus 7202 and below, ADManager Plus 7200 and below, Asset Explorer 6993 and below and 7xxx 7002 and below, Cloud Security Plus 4161 and below, Data Security Plus 6110 and below, Eventlog Analyzer 12301 and…

  • CVE-2023-38331Jul 28, 2023
    risk 0.00cvss epss 0.02

    Zoho ManageEngine Support Center Plus 14001 and below is vulnerable to stored XSS in the products module.

  • CVE-2023-35786Jul 5, 2023
    risk 0.00cvss epss 0.03

    Zoho ManageEngine ADManager Plus before 7183 allows admin users to exploit an XXE issue to view files.

  • CVE-2023-2291Apr 26, 2023
    risk 0.00cvss epss 0.01

    Static credentials exist in the PostgreSQL data used in ManageEngine Access Manager Plus (AMP) build 4309, ManageEngine Password Manager Pro, and ManageEngine PAM360. These credentials could allow a malicious actor to modify configuration data that would escalate their…

  • CVE-2023-26600Mar 6, 2023
    risk 0.00cvss epss 0.06

    ManageEngine ServiceDesk Plus through 14104, ServiceDesk Plus MSP through 14000, Support Center Plus through 14000, and Asset Explorer through 6987 allow privilege escalation via query reports.

  • CVE-2022-48362Feb 25, 2023
    risk 0.00cvss epss 0.09

    Zoho ManageEngine Desktop Central and Desktop Central MSP before 10.1.2137.2 allow directory traversal via computerName to AgentLogUploadServlet. A remote, authenticated attacker could upload arbitrary code that would be executed when Desktop Central is restarted. (The attacker…

  • CVE-2022-47578Dec 20, 2022
    risk 0.00cvss epss 0.01

    An issue was discovered in the endpoint protection agent in Zoho ManageEngine Device Control Plus 10.1.2228.15. Despite configuring complete restrictions on USB pendrives, USB HDD devices, memory cards, USB connections to mobile devices, etc., it is still possible to bypass the…

  • CVE-2022-41339Nov 12, 2022
    risk 0.00cvss epss 0.01

    In Zoho ManageEngine Mobile Device Manager Plus before 10.1.2207.5, the User Administration module allows privilege escalation.

  • CVE-2022-40773Nov 12, 2022
    risk 0.00cvss epss 0.05

    Zoho ManageEngine ServiceDesk Plus MSP before 10609 and SupportCenter Plus before 11025 are vulnerable to privilege escalation. This allows users to obtain sensitive data during an exportMickeyList export of requests from the list view.

  • CVE-2022-36783Oct 25, 2022
    risk 0.00cvss epss 0.00

    AlgoSec – FireFlow Reflected Cross-Site-Scripting (RXSS) A malicious user injects JavaScript code into a parameter called IntersectudRule on the search/result.html page. The malicious user changes the request from POST to GET and sends the URL to another user (victim).…

  • CVE-2022-36412Jul 26, 2022
    risk 0.00cvss epss 0.06

    In Zoho ManageEngine SupportCenter Plus before 11023, V3 API requests are vulnerable to authentication bypass. (An API request may, in effect, be executed with the credentials of a user who authenticated in the past.)

  • CVE-2022-35404Jul 18, 2022
    risk 0.00cvss epss 0.04

    ManageEngine Password Manager Pro 12100 and prior and OPManager 126100 and prior are vulnerable to unauthorized file and directory creation on a server machine.

  • CVE-2022-35403Jul 12, 2022
    risk 0.00cvss epss 0.07

    Zoho ManageEngine ServiceDesk Plus before 13008, ServiceDesk Plus MSP before 10606, and SupportCenter Plus before 11022 are affected by an unauthenticated local file disclosure vulnerability via ticket-creation email. (This also affects Asset Explorer before 6977 with…

  • CVE-2022-26653Apr 16, 2022
    risk 0.00cvss epss 0.02

    Zoho ManageEngine Remote Access Plus before 10.1.2137.15 allows guest users to view domain details (such as the username and GUID of an administrator).

  • CVE-2022-26777Apr 16, 2022
    risk 0.00cvss epss 0.02

    Zoho ManageEngine Remote Access Plus before 10.1.2137.15 allows guest users to view license details.

  • CVE-2022-24306Mar 2, 2022
    risk 0.00cvss epss 0.02

    Zoho ManageEngine SharePoint Manager Plus before 4329 allows account takeover because authorization is mishandled.

  • CVE-2021-46166Jan 9, 2022
    risk 0.00cvss epss 0.03

    Zoho ManageEngine Desktop Central before 10.0.662 allows authenticated users to obtain sensitive information from the database by visiting the Reports page.

  • CVE-2021-20148Jan 3, 2022
    risk 0.00cvss epss 0.01

    ManageEngine ADSelfService Plus below build 6116 stores the password policy file for each domain under the html/ web root with a predictable filename based on the domain name. When ADSSP is configured with multiple Windows domains, a user from one domain can obtain the password…

  • CVE-2021-44514Dec 9, 2021
    risk 0.00cvss epss 0.05

    OpUtils in Zoho ManageEngine OpManager 12.5 before 125490 mishandles authentication for a few audit directories.

  • CVE-2020-19554Sep 21, 2021
    risk 0.00cvss epss 0.01

    Cross Site Scripting (XSS) vulnerability exists in ManageEngine OPManager <=12.5.174 when the API key contains an XML-based XSS payload.

  • CVE-2021-37741Sep 21, 2021
    risk 0.00cvss epss 0.03

    ManageEngine ADManager Plus before 7111 has Pre-authentication RCE vulnerabilities.

  • CVE-2021-40173Aug 29, 2021
    risk 0.00cvss epss 0.01

    Zoho ManageEngine Cloud Security Plus before Build 4117 allows a CSRF attack on the server proxy settings.

  • CVE-2021-40178Aug 29, 2021
    risk 0.00cvss epss 0.01

    Zoho ManageEngine Log360 before Build 5224 allows stored XSS via the LOGO_PATH key value in the logon settings.

  • CVE-2021-31857Jun 16, 2021
    risk 0.00cvss epss 0.03

    In Zoho ManageEngine Password Manager Pro before 11.1 build 11104, attackers are able to retrieve credentials via a browser extension for non-website resource types.

  • CVE-2020-35682Mar 13, 2021
    risk 0.00cvss epss 0.07

    Zoho ManageEngine ServiceDesk Plus before 11134 allows an Authentication Bypass (only during SAML login).

  • CVE-2019-16962Jan 6, 2021
    risk 0.00cvss epss 0.02

    Zoho ManageEngine Desktop Central 10.0.430 allows HTML injection via a modified Report Name in a New Custom Report.

  • CVE-2020-14811Oct 21, 2020
    risk 0.00cvss epss 0.01

    Vulnerability in the Oracle Applications Manager product of Oracle E-Business Suite (component: AMP EBS Integration). Supported versions that are affected are 12.1.3 and 12.2.3 - 12.2.10. Easily exploitable vulnerability allows unauthenticated attacker with network access via…

  • CVE-2020-14761Oct 21, 2020
    risk 0.00cvss epss 0.01

    Vulnerability in the Oracle Applications Manager product of Oracle E-Business Suite (component: Oracle Diagnostics Interfaces). Supported versions that are affected are 12.1.3 and 12.2.3 - 12.2.7. Easily exploitable vulnerability allows unauthenticated attacker with network…

  • CVE-2020-11552Aug 11, 2020
    risk 0.00cvss epss 0.07

    An elevation of privilege vulnerability exists in ManageEngine ADSelfService Plus before build 6003 because it does not properly enforce user privileges associated with a Certificate dialog. This vulnerability could allow an unauthenticated attacker to escalate privileges on a…

  • CVE-2020-15302Jun 25, 2020
    risk 0.00cvss epss 0.01

    In Argent RecoveryManager before 0xdc350d09f71c48c5D22fBE2741e4d6A03970E192, the executeRecovery function does not require any signatures in the zero-guardian case, which allows attackers to cause a denial of service (locking) or a takeover.

  • CVE-2020-10541Mar 13, 2020
    risk 0.00cvss epss 0.10

    Zoho ManageEngine OpManager before 12.4.179 allows remote code execution via a specially crafted Mail Server Settings v1 API request. This was fixed in 12.5.108.

  • CVE-2019-19475Jan 10, 2020
    risk 0.00cvss epss 0.03

    An issue was discovered in ManageEngine Applications Manager 14 with Build 14360. Integrated PostgreSQL which is built-in in Applications Manager is prone to attack due to lack of file permission security. The malicious users who are in “Authenticated Users” group can…

  • CVE-2019-17421Nov 21, 2019
    risk 0.00cvss epss 0.01

    Incorrect file permissions on the packaged Nipper executable file in Zoho ManageEngine OpManager 12.4.072 and Firewall Analyzer 12.4.072 allow local users to elevate privileges to root by overwriting this file with a malicious payload.

  • CVE-2019-15046Aug 14, 2019
    risk 0.00cvss epss 0.05

    Zoho ManageEngine ServiceDesk Plus 10 before 10509 allows unauthenticated sensitive information leakage during Fail Over Service (FOS) replication, aka SD-79989.

  • CVE-2019-2825Jul 23, 2019
    risk 0.00cvss epss 0.01

    Vulnerability in the Oracle Applications Manager component of Oracle E-Business Suite (subcomponent: Oracle Diagnostics Interfaces). Supported versions that are affected are 12.1.3 and 12.2.3 - 12.2.8. Easily exploitable vulnerability allows high privileged attacker with network…

Page 5 of 6