VYPR

Vendor CVEs

Zoho

All CVEs

239 total · sorted by risk
  • CVE-2016-6603CriJan 23, 2017
    risk 0.74cvss 9.8epss 0.87

    ZOHO WebNMS Framework 5.2 and 5.2 SP1 allows remote attackers to bypass authentication and impersonate arbitrary users via the UserName HTTP header.

  • CVE-2016-6600CriJan 23, 2017
    risk 0.74cvss 9.8epss 0.90

    Directory traversal vulnerability in the file upload functionality in ZOHO WebNMS Framework 5.2 and 5.2 SP1 allows remote attackers to upload and execute arbitrary JSP files via a .. (dot dot) in the fileName parameter to servlets/FileUploadServlet.

  • CVE-2016-6602CriJan 23, 2017
    risk 0.71cvss 9.8epss 0.55

    ZOHO WebNMS Framework 5.2 and 5.2 SP1 use a weak obfuscation algorithm to store passwords, which allows context-dependent attackers to obtain cleartext passwords by leveraging access to WEB-INF/conf/securitydbData.xml. NOTE: this issue can be combined with CVE-2016-6601 for a…

  • CVE-2018-17243CriSep 20, 2018
    risk 0.70cvss 9.8epss 0.74

    Global Search in Zoho ManageEngine OpManager before 12.3 123205 allows SQL Injection.

  • CVE-2017-11346CriJul 17, 2017
    risk 0.70cvss 9.8epss 0.43

    Zoho ManageEngine Desktop Central before build 100092 allows remote attackers to execute arbitrary code via vectors involving the upload of help desk videos.

  • CVE-2018-13050CriJul 2, 2018
    risk 0.67cvss 9.8epss 0.38

    A SQL Injection vulnerability exists in Zoho ManageEngine Applications Manager 13.x before build 13800 via the j_username parameter in a /j_security_check POST request.

  • CVE-2017-16543CriNov 5, 2017
    risk 0.67cvss 9.8epss 0.06

    Zoho ManageEngine Applications Manager 13 before build 13500 allows SQL injection via GraphicalView.do, as demonstrated by a crafted viewProps yCanvas field or viewid parameter.

  • CVE-2017-16851CriNov 16, 2017
    risk 0.65cvss 9.8epss 0.17

    Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /MyPage.do widgetid parameter.

  • CVE-2017-16850CriNov 16, 2017
    risk 0.65cvss 9.8epss 0.17

    Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /showresource.do resourceid parameter in a getResourceProfiles action.

  • CVE-2017-16849CriNov 16, 2017
    risk 0.65cvss 9.8epss 0.17

    Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /MyPage.do?method=viewDashBoard forpage parameter.

  • CVE-2017-16848CriNov 16, 2017
    risk 0.65cvss 9.8epss 0.15

    Zoho ManageEngine Applications Manager 13 allows SQL injection via the /manageConfMons.do groupname parameter.

  • CVE-2017-16847CriNov 16, 2017
    risk 0.65cvss 9.8epss 0.17

    Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /showresource.do resourceid parameter in a showPlasmaView action.

  • CVE-2017-16846CriNov 16, 2017
    risk 0.65cvss 9.8epss 0.17

    Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /manageApplications.do?method=AddSubGroup haid parameter.

  • CVE-2018-15168CriAug 8, 2018
    risk 0.64cvss 9.8epss 0.04

    A SQL Injection vulnerability exists in the Zoho ManageEngine Applications Manager 13 before build 13820 via the resids parameter in a /editDisplaynames.do?method=editDisplaynames GET request.

  • CVE-2018-5339CriApr 18, 2018
    risk 0.64cvss 9.8epss 0.08

    An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 and 10.0.184: insufficient enforcement of database query type restrictions.

  • CVE-2018-5338CriApr 18, 2018
    risk 0.64cvss 9.8epss 0.09

    An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 and 10.0.184: missing authentication/authorization for a database query mechanism.

  • CVE-2015-9107CriAug 4, 2017
    risk 0.64cvss 9.8epss 0.04

    Zoho ManageEngine OpManager 11 through 12.2 uses a custom encryption algorithm to protect the credential used to access the monitored devices. The implemented algorithm doesn't use a per-system key or even a salt; therefore, it's possible to create a universal decryptor.

  • CVE-2017-16542HigNov 5, 2017
    risk 0.61cvss 8.8epss 0.05

    Zoho ManageEngine Applications Manager 13 before build 13500 allows Post-authentication SQL injection via the name parameter in a manageApplications.do?method=insert request.

  • CVE-2016-6601HigJan 23, 2017
    risk 0.60cvss 7.5epss 0.97

    Directory traversal vulnerability in the file download functionality in ZOHO WebNMS Framework 5.2 and 5.2 SP1 allows remote attackers to read arbitrary files via a .. (dot dot) in the fileName parameter to servlets/FetchFile.

  • CVE-2017-14123HigSep 4, 2017
    risk 0.58cvss 8.8epss 0.06

    Zoho ManageEngine Firewall Analyzer 12200 has an unrestricted File Upload vulnerability in the "Group Chat" section. Any user can upload files with any extensions. By uploading a PHP file to the server, an attacker can cause it to execute in the server context, as demonstrated…

  • CVE-2018-13411HigSep 12, 2018
    risk 0.57cvss 8.8epss 0.03

    An issue was discovered in Zoho ManageEngine Desktop Central before 10.0.282. A clickable company logo in a window running as SYSTEM can be abused to escalate privileges. In cloud, the issue is fixed in 10.0.470 agent version.

  • CVE-2017-17552HigFeb 7, 2018
    risk 0.57cvss 8.8epss 0.02

    /LoadFrame in Zoho ManageEngine AD Manager Plus build 6590 - 6613 allows attackers to conduct URL Redirection attacks via the src parameter, resulting in a bypass of CSRF protection, or potentially masquerading a malicious URL as trusted.

  • CVE-2016-4889HigApr 14, 2017
    risk 0.57cvss 8.8epss 0.03

    ZOHO ManageEngine ServiceDesk Plus before 9.0 allows remote authenticated guest users to have unspecified impact by leveraging failure to restrict access to unknown functions.

  • CVE-2024-49297HigOct 17, 2024
    risk 0.55cvss 8.5epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in zohocrm Zoho CRM Lead Magnet zoho-crm-forms allows SQL Injection.This issue affects Zoho CRM Lead Magnet: from n/a through <= 1.7.9.7.

  • CVE-2017-11512HigNov 8, 2017
    risk 0.55cvss 7.5epss 0.80

    The ManageEngine ServiceDesk 9.3.9328 is vulnerable to arbitrary file downloads due to improper restrictions of the pathname used in the name parameter for the download-snapshot URL. An unauthenticated remote attacker can use this vulnerability to download arbitrary files.

  • CVE-2018-16364HigSep 26, 2018
    risk 0.54cvss 8.1epss 0.15

    A serialization vulnerability in Zoho ManageEngine Applications Manager before build 13740 allows for remote code execution on Windows via a payload on an SMB share.

  • CVE-2018-17283HigSep 21, 2018
    risk 0.54cvss 7.5epss 0.66

    Zoho ManageEngine OpManager before 12.3 Build 123196 does not require authentication for /oputilsServlet requests, as demonstrated by a /oputilsServlet?action=getAPIKey request that can be leveraged against Firewall Analyzer to add an admin user via /api/json/v2/admin/addUser or…

  • CVE-2018-13412HigSep 12, 2018
    risk 0.51cvss 7.8epss 0.01

    An issue was discovered in the Self Service Portal in Zoho ManageEngine Desktop Central before 10.0.282. A clickable company logo in a window running as SYSTEM can be abused to escalate privileges. In cloud, the issue is fixed in 10.0.470 agent version.

  • CVE-2018-12999HigJun 29, 2018
    risk 0.49cvss 7.5epss 0.09

    Incorrect Access Control in AgentTrayIconServlet in Zoho ManageEngine Desktop Central 10.0.255 allows attackers to delete certain files on the web server without login by sending a specially crafted request to the server with a computerName=../ substring to the /agenttrayicon…

  • CVE-2018-12997HigJun 29, 2018
    risk 0.49cvss 7.5epss 0.07

    Incorrect Access Control in FailOverHelperServlet in Zoho ManageEngine Netflow Analyzer before build 123137, Network Configuration Manager before build 123128, OpManager before build 123148, OpUtils before build 123161, and Firewall Analyzer before build 123147 allows attackers…

  • CVE-2017-11511HigNov 8, 2017
    risk 0.49cvss 7.5epss 0.04

    The ManageEngine ServiceDesk 9.3.9328 is vulnerable to arbitrary file downloads due to improper restrictions of the pathname used in the filepath parameter for the download-file URL. An unauthenticated remote attacker can use this vulnerability to download arbitrary files.

  • CVE-2018-12998MedJun 29, 2018
    risk 0.48cvss 6.1epss 0.98

    A reflected Cross-site scripting (XSS) vulnerability in Zoho ManageEngine Netflow Analyzer before build 123137, Network Configuration Manager before build 123128, OpManager before build 123148, OpUtils before build 123161, and Firewall Analyzer before build 123147 allows remote…

  • CVE-2018-5342HigApr 18, 2018
    risk 0.47cvss 7.2epss 0.04

    An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 and 10.0.184: network services (Desktop Central and PostgreSQL) running with a superuser account.

  • CVE-2018-5340HigApr 18, 2018
    risk 0.47cvss 7.2epss 0.05

    An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 and 10.0.184: database access using a superuser account (specifically, an account with permission to write to the filesystem via SQL queries).

  • CVE-2025-49028HigDec 31, 2025
    risk 0.46cvss 7.1epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in Zoho Mail Zoho ZeptoMail transmail allows Stored XSS.This issue affects Zoho ZeptoMail: from n/a through <= 3.3.1.

  • CVE-2024-38696HigJul 20, 2024
    risk 0.46cvss 7.1epss 0.00

    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Zoho CRM Zoho CRM Lead Magnet allows Reflected XSS.This issue affects Zoho CRM Lead Magnet: from n/a through 1.7.8.8.

  • CVE-2018-16833MedSep 21, 2018
    risk 0.45cvss 6.1epss 0.65

    Zoho ManageEngine Desktop Central 10.0.271 has XSS via the "Features & Articles" search field to the /advsearch.do?SUBREQUEST=XMLHTTP URI.

  • CVE-2018-15740MedAug 28, 2018
    risk 0.43cvss 6.1epss 0.06

    Zoho ManageEngine ADManager Plus 6.5.7 has XSS on the "Workflow Delegation" "Requester Roles" screen.

  • CVE-2018-15608MedAug 28, 2018
    risk 0.43cvss 6.1epss 0.02

    Zoho ManageEngine ADManager Plus 6.5.7 allows HTML Injection on the "AD Delegation" "Help Desk Technicians" screen.

  • CVE-2025-57963MedSep 22, 2025
    risk 0.42cvss 6.5epss 0.00

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Zoho Subscriptions Zoho Billing zoho-subscriptions allows DOM-Based XSS.This issue affects Zoho Billing: from n/a through <= 4.1.

  • CVE-2025-30900MedMar 27, 2025
    risk 0.42cvss 6.5epss 0.00

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Zoho Subscriptions Zoho Billing – Embed Payment Form allows Stored XSS. This issue affects Zoho Billing – Embed Payment Form: from n/a through 4.0.

  • CVE-2024-38752MedAug 13, 2024
    risk 0.42cvss 6.5epss 0.00

    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Zoho Campaigns allows Cross-Site Scripting (XSS).This issue affects Zoho Campaigns: from n/a through 2.0.8.

  • CVE-2024-36038MedJun 24, 2024
    risk 0.41cvss 6.3epss 0.01

    Zoho ManageEngine ITOM products versions from 128234 to 128248 are affected by the stored cross-site scripting vulnerability in the proxy server option.

  • CVE-2018-17596MedOct 2, 2018
    risk 0.40cvss 6.1epss 0.02

    In Zoho ManageEngine AssetExplorer, a Stored XSS vulnerability was discovered in the 6.2.0 version via the /AssetDef.do ciName or assetName parameter.

  • CVE-2018-16965MedSep 21, 2018
    risk 0.40cvss 6.1epss 0.03

    In Zoho ManageEngine SupportCenter Plus before 8.1 Build 8109, there is HTML Injection and Stored XSS via the /ServiceContractDef.do contractName parameter.

  • CVE-2018-10075MedJul 2, 2018
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting (XSS) vulnerability in Zoho ManageEngine EventLog Analyzer 11.12 allows remote attackers to inject arbitrary web script or HTML via the import logs feature.

  • CVE-2018-10803MedMay 10, 2018
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting (XSS) vulnerability in the add credentials functionality in Zoho ManageEngine NetFlow Analyzer v12.3 before 12.3.125 (build 123125) allows remote attackers to inject arbitrary web script or HTML via a crafted description value. This can be exploited through…

  • CVE-2018-5799MedMar 30, 2018
    risk 0.40cvss 6.1epss 0.02

    In Zoho ManageEngine ServiceDesk Plus before 9403, an XSS issue allows an attacker to run arbitrary JavaScript via a /api/request/?OPERATION_NAME= URI, aka SD-69139.

  • CVE-2018-8722MedMar 15, 2018
    risk 0.40cvss 6.1epss 0.02

    Zoho ManageEngine Desktop Central version 9.1.0 build 91099 has multiple XSS issues that were fixed in build 92026.

  • CVE-2017-17698MedDec 15, 2017
    risk 0.40cvss 6.1epss 0.02

    Zoho ManageEngine Password Manager Pro 9 before 9.4 (9400) has reflected XSS in SearchResult.ec and BulkAccessControlView.ec.

Page 1 of 5