VYPR

Vendor CVEs

Zoho

All CVEs

239 total · sorted by risk
  • CVE-2017-11687MedJul 27, 2017
    risk 0.40cvss 6.1epss 0.01

    Multiple Persistent cross-site scripting (XSS) vulnerabilities in Event log parsing and Display functions in Zoho ManageEngine Event Log Analyzer 11.4 and 11.5 allow remote attackers to inject arbitrary web script or HTML via syslog.

  • CVE-2017-11686MedJul 27, 2017
    risk 0.40cvss 6.1epss 0.02

    Zoho ManageEngine Event Log Analyzer 11.4 and 11.5 allows remote attackers to obtain an authenticated user's password via XSS vulnerabilities or sniffing non-SSL traffic on the network, because the password is represented in a cookie with a reversible encoding method.

  • CVE-2017-11685MedJul 27, 2017
    risk 0.40cvss 6.1epss 0.01

    Multiple Reflective cross-site scripting (XSS) vulnerabilities in search and display of event data in Zoho ManageEngine Event Log Analyzer 11.4 and 11.5 allow remote attackers to inject arbitrary web script or HTML, as demonstrated by the fName parameter.

  • CVE-2017-14582MedSep 30, 2017
    risk 0.39cvss 5.9epss 0.02

    The Zoho Site24x7 Mobile Network Poller application before 1.1.5 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a self-signed certificate.

  • CVE-2018-9163MedApr 2, 2018
    risk 0.38cvss 5.4epss 0.05

    A stored Cross-site scripting (XSS) vulnerability in Zoho ManageEngine Recovery Manager Plus before 5.3 (Build 5350) allows remote authenticated users (with Add New Technician permissions) to inject arbitrary web script or HTML via the loginName field to technicianAction.do.

  • CVE-2026-24595MedJan 23, 2026
    risk 0.35cvss 5.4epss 0.00

    Missing Authorization vulnerability in zohocrm Zoho CRM Lead Magnet zoho-crm-forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Zoho CRM Lead Magnet: from n/a through <= 1.8.1.9.

  • CVE-2018-7248MedMay 11, 2018
    risk 0.35cvss 5.3epss 0.06

    An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3 Build 9317. Unauthenticated users are able to validate domain user accounts by sending a request containing the username to an API endpoint. The endpoint will return the user's logon domain if the accounts exists,…

  • CVE-2016-4890MedApr 14, 2017
    risk 0.35cvss 5.3epss 0.03

    ZOHO ManageEngine ServiceDesk Plus before 9.2 uses an insecure method for generating cookies, which makes it easier for attackers to obtain sensitive password information by leveraging access to a cookie.

  • CVE-2016-4888MedApr 14, 2017
    risk 0.35cvss 5.4epss 0.02

    Cross-site scripting (XSS) vulnerability in ZOHO ManageEngine ServiceDesk Plus before 9.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

  • CVE-2025-67972MedFeb 20, 2026
    risk 0.28cvss 4.3epss 0.00

    Missing Authorization vulnerability in Zoho Mail Zoho ZeptoMail allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Zoho ZeptoMail: from n/a through 3.2.9.

  • CVE-2024-32442MedApr 15, 2024
    risk 0.28cvss 4.3epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in Zoho Campaigns.This issue affects Zoho Campaigns: from n/a through 2.0.7.

  • CVE-2024-32441MedApr 15, 2024
    risk 0.28cvss 4.3epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in Zoho Campaigns.This issue affects Zoho Campaigns: from n/a through 2.0.7.

  • CVE-2022-35405KEVJul 19, 2022
    risk 0.23cvss epss 1.00

    Zoho ManageEngine Password Manager Pro before 12101 and PAM360 before 5510 are vulnerable to unauthenticated remote code execution. (This also affects ManageEngine Access Manager Plus before 4303 with authentication.)

  • CVE-2021-42847Nov 11, 2021
    risk 0.10cvss epss 0.70

    Zoho ManageEngine ADAudit Plus before 7006 allows attackers to write to, and execute, arbitrary files.

  • CVE-2021-3287Apr 22, 2021
    risk 0.10cvss epss 0.51

    Zoho ManageEngine OpManager before 12.5.329 allows unauthenticated Remote Code Execution due to a general bypass in the deserialization class.

  • CVE-2015-7766Oct 9, 2015
    risk 0.09cvss epss 0.81

    PGSQL:SubmitQuery.do in ZOHO ManageEngine OpManager 11.6, 11.5, and earlier allows remote administrators to bypass SQL query restrictions via a comment in the query to api/json/admin/SubmitQuery, as demonstrated by "INSERT/**/INTO."

  • CVE-2014-7866Dec 10, 2014
    risk 0.09cvss epss 0.80

    Multiple directory traversal vulnerabilities in ZOHO ManageEngine OpManager 8 (build 88xx) through 11.4, IT360 10.3 and 10.4, and Social IT Plus 11.0 allow remote attackers or remote authenticated users to write and execute arbitrary files via a .. (dot dot) in the (1) fileName…

  • CVE-2014-7868Dec 4, 2014
    risk 0.09cvss epss 0.73

    Multiple SQL injection vulnerabilities in ZOHO ManageEngine OpManager 11.3 and 11.4, IT360 10.3 and 10.4, and Social IT Plus 11.0 allow remote attackers or remote authenticated users to execute arbitrary SQL commands via the (1) OPM_BVNAME parameter in a Delete operation to the…

  • CVE-2014-6034Dec 4, 2014
    risk 0.09cvss epss 0.79

    Directory traversal vulnerability in the com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector servlet in ZOHO ManageEngine OpManager 8.8 through 11.3, Social IT Plus 11.0, and IT360 10.4 and earlier allows remote attackers or remote authenticated users to write to…

  • CVE-2014-5005Oct 21, 2014
    risk 0.09cvss epss 0.78

    Directory traversal vulnerability in ZOHO ManageEngine Desktop Central (DC) before 9 build 90055 allows remote attackers to execute arbitrary code via a .. (dot dot) in the fileName parameter in an LFU action to statusUpdate.

  • CVE-2015-7765Oct 9, 2015
    risk 0.08cvss epss 0.67

    ZOHO ManageEngine OpManager 11.5 build 11600 and earlier uses a hardcoded password of "plugin" for the IntegrationUser account, which allows remote authenticated users to obtain administrator access by leveraging knowledge of this password.

  • CVE-2022-29081Apr 28, 2022
    risk 0.07cvss epss 0.83

    Zoho ManageEngine Access Manager Plus before 4302, Password Manager Pro before 12007, and PAM360 before 5401 are vulnerable to access-control bypass on a few Rest API URLs (for SSOutAction. SSLAction. LicenseMgr. GetProductDetails. GetDashboard. FetchEvents. and Synchronize) via…

  • CVE-2020-14008Sep 4, 2020
    risk 0.07cvss epss 0.36

    Zoho ManageEngine Applications Manager 14710 and before allows an authenticated admin user to upload a vulnerable jar in a specific location, which leads to remote code execution.

  • CVE-2014-5446Dec 4, 2014
    risk 0.07cvss epss 0.55

    Directory traversal vulnerability in the DisplayChartPDF servlet in ZOHO ManageEngine Netflow Analyzer 8.6 through 10.2 and IT360 10.3 allows remote attackers and remote authenticated users to read arbitrary files via a .. (dot dot) in the filename parameter.

  • CVE-2022-42904Nov 18, 2022
    risk 0.06cvss epss 0.08

    Zoho ManageEngine ADManager Plus through 7151 allows authenticated admin users to execute the commands in proxy settings.

  • CVE-2022-23779Mar 2, 2022
    risk 0.06cvss epss 0.15

    Zoho ManageEngine Desktop Central before 10.1.2137.8 exposes the installed server name to anyone. The internal hostname can be discovered by reading HTTP redirect responses.

  • CVE-2014-6036Dec 4, 2014
    risk 0.06cvss epss 0.39

    Directory traversal vulnerability in the multipartRequest servlet in ZOHO ManageEngine OpManager 11.3 and earlier, Social IT Plus 11.0, and IT360 10.3, 10.4, and earlier allows remote attackers or remote authenticated users to delete arbitrary files via a .. (dot dot) in the…

  • CVE-2021-31159Jun 16, 2021
    risk 0.05cvss epss 0.18

    Zoho ManageEngine ServiceDesk Plus MSP before 10519 is vulnerable to a User Enumeration bug due to improper error-message generation in the Forgot Password functionality, aka SDPMSP-15732.

  • CVE-2014-7864Feb 4, 2015
    risk 0.05cvss epss 0.23

    Multiple SQL injection vulnerabilities in the FailOverHelperServlet (aka FailServlet) servlet in ZOHO ManageEngine OpManager 8 through 11.5 build 11400 and IT360 10.5 and earlier allow remote attackers and remote authenticated users to execute arbitrary SQL commands via the (1)…

  • CVE-2014-6035Dec 4, 2014
    risk 0.05cvss epss 0.26

    Directory traversal vulnerability in the FileCollector servlet in ZOHO ManageEngine OpManager 11.4, 11.3, and earlier allows remote attackers to write and execute arbitrary files via a .. (dot dot) in the FILENAME parameter.

  • CVE-2010-3274Feb 17, 2011
    risk 0.05cvss epss 0.21

    Multiple cross-site scripting (XSS) vulnerabilities in EmployeeSearch.cc in the Employee Search Engine in ZOHO ManageEngine ADSelfService Plus before 4.5 Build 4500 allow remote attackers to inject arbitrary web script or HTML via the searchString parameter in a (1) showList or…

  • CVE-2023-48646Nov 22, 2023
    risk 0.04cvss epss 0.82

    Zoho ManageEngine RecoveryManager Plus before 6070 allows admin users to execute arbitrary commands via proxy settings.

  • CVE-2022-47523Jan 5, 2023
    risk 0.04cvss epss 0.71

    Zoho ManageEngine Access Manager Plus before 4309, Password Manager Pro before 12210, and PAM360 before 5801 are vulnerable to SQL Injection.

  • CVE-2022-43671Nov 12, 2022
    risk 0.04cvss epss 0.75

    Zoho ManageEngine Password Manager Pro before 12122, PAM360 before 5711, and Access Manager Plus before 4306 allow SQL Injection.

  • CVE-2022-37024Aug 9, 2022
    risk 0.04cvss epss 0.78

    Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, and OpUtils before 2022-07-29 through 2022-07-30 ( 125658, 126003, 126105, and 126120) allow authenticated users to make database changes that lead to remote code…

  • CVE-2021-37918Oct 7, 2021
    risk 0.04cvss epss 0.74

    Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution.

  • CVE-2021-37926Oct 7, 2021
    risk 0.04cvss epss 0.74

    Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution.

  • CVE-2015-5149Jun 30, 2015
    risk 0.04cvss epss 0.10

    Directory traversal vulnerability in Zoho ManageEngine SupportCenter Plus 7.90 allows remote authenticated users to write to arbitrary files via a .. (dot dot) in the component parameter in the Request component to workorder/Attachment.jsp.

  • CVE-2015-2169Jun 24, 2015
    risk 0.04cvss epss 0.08

    Cross-site scripting (XSS) vulnerability in Zoho ManageEngine AssetExplorer 6.1 service pack 6112 allows remote attackers to inject arbitrary web script or HTML via a Publisher registry entry, which is not properly handled when the machine is scanned.

  • CVE-2015-1480Feb 4, 2015
    risk 0.04cvss epss 0.06

    ZOHO ManageEngine ServiceDesk Plus (SDP) before 9.0 build 9031 allows remote authenticated users to obtain sensitive ticket information via a (1) getTicketData action to servlet/AJaxServlet or a direct request to (2) swf/flashreport.swf, (3) reports/flash/details.jsp, or (4)…

  • CVE-2022-38772Aug 29, 2022
    risk 0.03cvss epss 0.78

    Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, and OpUtils before 125658, 126003, 126105, and 126120 allow authenticated users to make database changes that lead to remote code execution in the NMAP feature.

  • CVE-2021-44757Jan 18, 2022
    risk 0.03cvss epss 0.24

    Zoho ManageEngine Desktop Central before 10.1.2137.9 and Desktop Central MSP before 10.1.2137.9 allow attackers to bypass authentication, and read sensitive information or upload an arbitrary ZIP archive to the server.

  • CVE-2021-40493Oct 13, 2021
    risk 0.03cvss epss 0.50

    Zoho ManageEngine OpManager before 125437 is vulnerable to SQL Injection in the support diagnostics module. This occurs via the pollingObject parameter of the getDataCollectionFailureReason API.

  • CVE-2021-37762Oct 7, 2021
    risk 0.03cvss epss 0.08

    Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file overwrite leading to remote code execution.

  • CVE-2021-37920Oct 7, 2021
    risk 0.03cvss epss 0.11

    Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution.

  • CVE-2021-37923Oct 7, 2021
    risk 0.03cvss epss 0.11

    Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution.

  • CVE-2021-37924Oct 7, 2021
    risk 0.03cvss epss 0.11

    Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution.

  • CVE-2021-37930Oct 7, 2021
    risk 0.03cvss epss 0.09

    Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution.

  • CVE-2021-41288Sep 30, 2021
    risk 0.03cvss epss 0.80

    Zoho ManageEngine OpManager version 125466 and below is vulnerable to SQL Injection in the getReportData API.

  • CVE-2021-37761Sep 27, 2021
    risk 0.03cvss epss 0.09

    Zoho ManageEngine ADManager Plus version 7110 and prior is vulnerable to unrestricted file upload, leading to remote code execution.

Page 2 of 5