VYPR

Vendor CVEs

Zoho

All CVEs

239 total · sorted by risk
  • CVE-2021-37539Sep 27, 2021
    risk 0.03cvss epss 0.93

    Zoho ManageEngine ADManager Plus before 7111 is vulnerable to unrestricted file which leads to Remote code execution.

  • CVE-2020-27995Oct 29, 2020
    risk 0.03cvss epss 0.09

    SQL Injection in Zoho ManageEngine Applications Manager 14 before 14560 allows an attacker to execute commands on the server via the MyPage.do template_resid parameter.

  • CVE-2020-15394Sep 25, 2020
    risk 0.03cvss epss 0.08

    The REST API in Zoho ManageEngine Applications Manager before build 14740 allows an unauthenticated SQL Injection via a crafted request, leading to Remote Code Execution.

  • CVE-2019-8929May 17, 2019
    risk 0.03cvss epss 0.11

    An issue was discovered in Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2. XSS exists in the Administration zone /netflow/jspui/selectDevice.jsp file in these GET parameters: param and rtype.

  • CVE-2019-8928May 17, 2019
    risk 0.03cvss epss 0.06

    An issue was discovered in Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2. XSS exists in /netflow/jspui/userManagementForm.jsp via these GET parameters: authMeth, passWord, pwd1, and userName.

  • CVE-2015-5150Jun 30, 2015
    risk 0.03cvss epss 0.04

    Multiple cross-site scripting (XSS) vulnerabilities in Zoho ManageEngine SupportCenter Plus 7.90 allow remote authenticated users to inject arbitrary web script or HTML via the (1) query parameter in the run_query_editor_query module to CustomReportHandler.do, (2) compAcct…

  • CVE-2015-1479Feb 4, 2015
    risk 0.03cvss epss 0.04

    SQL injection vulnerability in reports/CreateReportTable.jsp in ZOHO ManageEngine ServiceDesk Plus (SDP) before 9.0 build 9031 allows remote authenticated users to execute arbitrary SQL commands via the site parameter.

  • CVE-2014-7867Dec 4, 2014
    risk 0.03cvss epss 0.40

    SQL injection vulnerability in the com.manageengine.opmanager.servlet.UpdateProbeUpgradeStatus servlet in ZOHO ManageEngine OpManager 11.3 and 11.4, IT360 10.3 and 10.4, and Social IT Plus 11.0 allows remote attackers or remote authenticated users to execute arbitrary SQL…

  • CVE-2011-5105Aug 23, 2012
    risk 0.03cvss epss 0.06

    Multiple cross-site scripting (XSS) vulnerabilities in EmployeeSearch.cc in ZOHO ManageEngine ADSelfService Plus 4.5 Build 4521 allow remote attackers to inject arbitrary web script or HTML via the (1) searchType and (2) searchString parameters, a different vulnerability than…

  • CVE-2010-3272Feb 17, 2011
    risk 0.03cvss epss 0.04

    accounts/ValidateAnswers in the security-questions implementation in ZOHO ManageEngine ADSelfService Plus before 4.5 Build 4500 makes it easier for remote attackers to reset user passwords, and consequently obtain access to arbitrary user accounts, via a modified (1)…

  • CVE-2023-38743Sep 11, 2023
    risk 0.02cvss epss 0.12

    Zoho ManageEngine ADManager Plus before Build 7200 allows admin users to execute commands on the host machine.

  • CVE-2022-34829Jul 4, 2022
    risk 0.02cvss epss 0.05

    Zoho ManageEngine ADSelfService Plus before 6203 allows a denial of service (application restart) via a crafted payload to the Mobile App Deployment API.

  • CVE-2021-46065Jan 27, 2022
    risk 0.02cvss epss 0.92

    A Cross-site scripting (XSS) vulnerability in Secondary Email Field in Zoho ManageEngine ServiceDesk Plus 11.3 Build 11306 allows an attackers to inject arbitrary JavaScript code.

  • CVE-2021-42099Nov 30, 2021
    risk 0.02cvss epss 0.07

    Zoho ManageEngine M365 Manager Plus before 4421 is vulnerable to file-upload remote code execution.

  • CVE-2021-41833Nov 11, 2021
    risk 0.02cvss epss 0.08

    Zoho ManageEngine Patch Connect Plus before 90099 is vulnerable to unauthenticated remote code execution.

  • CVE-2021-41075Oct 13, 2021
    risk 0.02cvss epss 0.03

    The NetFlow Analyzer in Zoho ManageEngine OpManger before 125455 is vulnerable to SQL Injection in the Attacks Module API.

  • CVE-2021-37925Sep 22, 2021
    risk 0.02cvss epss 0.10

    Zoho ManageEngine ADManager Plus version 7110 and prior has a Post-Auth OS command injection vulnerability.

  • CVE-2021-37422Sep 10, 2021
    risk 0.02cvss epss 0.03

    Zoho ManageEngine ADSelfService Plus 6111 and prior is vulnerable to SQL Injection while linking the databases.

  • CVE-2021-37423Sep 10, 2021
    risk 0.02cvss epss 0.03

    Zoho ManageEngine ADSelfService Plus 6111 and prior is vulnerable to linked applications takeover.

  • CVE-2021-33055Aug 30, 2021
    risk 0.02cvss epss 0.18

    Zoho ManageEngine ADSelfService Plus through 6102 allows unauthenticated remote code execution in non-English editions.

  • CVE-2021-31813Jul 1, 2021
    risk 0.02cvss epss 0.78

    Zoho ManageEngine Applications Manager before 15130 is vulnerable to Stored XSS while importing malicious user details (e.g., a crafted user name) from AD.

  • CVE-2020-8540Mar 11, 2020
    risk 0.02cvss epss 0.12

    An XML external entity (XXE) vulnerability in Zoho ManageEngine Desktop Central before the 07-Mar-2020 update allows remote unauthenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request.

  • CVE-2023-48793Feb 2, 2024
    risk 0.01cvss epss 0.07

    Zoho ManageEngine ADAudit Plus through 7250 allows SQL Injection in the aggregate report feature.

  • CVE-2023-23075Feb 1, 2023
    risk 0.01cvss epss 0.03

    Cross Site Scripting (XSS) vulnerability in Zoho Asset Explorer 6.9 via the credential name when creating a new Assets Workstation.

  • CVE-2020-21642Aug 15, 2022
    risk 0.01cvss epss 0.08

    Directory Traversal vulnerability ZDBQAREFSUBDIR parameter in /zropusermgmt API in Zoho ManageEngine Analytics Plus before 4350 allows remote attackers to run arbitrary code.

  • CVE-2022-24305Mar 2, 2022
    risk 0.01cvss epss 0.03

    Zoho ManageEngine SharePoint Manager Plus before 4329 is vulnerable to a sensitive data leak that leads to privilege escalation.

  • CVE-2021-44651Jan 12, 2022
    risk 0.01cvss epss 0.05

    Zoho ManageEngine CloudSecurityPlus before Build 4117 allows remote code execution through the updatePersonalizeSettings component due to an improper security patch for CVE-2021-40175.

  • CVE-2021-46164Jan 9, 2022
    risk 0.01cvss epss 0.07

    Zoho ManageEngine Desktop Central before 10.0.662 allows remote code execution by an authenticated user who has complete access to the Reports module.

  • CVE-2021-44676Dec 20, 2021
    risk 0.01cvss epss 0.04

    Zoho ManageEngine Access Manager Plus before 4203 allows anyone to view a few data elements (e.g., access control details) and modify a few aspects of the application state.

  • CVE-2021-42002Nov 11, 2021
    risk 0.01cvss epss 0.07

    Zoho ManageEngine ADManager Plus before 7115 is vulnerable to a filter bypass that leads to file-upload remote code execution.

  • CVE-2021-41827Sep 30, 2021
    risk 0.01cvss epss 0.05

    Zoho ManageEngine Remote Access Plus before 10.1.2121.1 has hardcoded credentials for read-only access. The credentials are in the source code that corresponds to the DCBackupRestore JAR archive.

  • CVE-2021-41828Sep 30, 2021
    risk 0.01cvss epss 0.05

    Zoho ManageEngine Remote Access Plus before 10.1.2121.1 has hardcoded credentials associated with resetPWD.xml.

  • CVE-2021-28960Sep 21, 2021
    risk 0.01cvss epss 0.02

    Zoho ManageEngine Desktop Central before build 10.0.683 allows unauthenticated command injection due to improper handling of an input command in on-demand operations.

  • CVE-2021-37417Aug 30, 2021
    risk 0.01cvss epss 0.05

    Zoho ManageEngine ADSelfService Plus version 6103 and prior allows CAPTCHA bypass due to improper parameter validation.

  • CVE-2021-37416Aug 30, 2021
    risk 0.01cvss epss 0.03

    Zoho ManageEngine ADSelfService Plus version 6103 and prior is vulnerable to reflected XSS on the loadframe page.

  • CVE-2021-40175Aug 29, 2021
    risk 0.01cvss epss 0.07

    Zoho ManageEngine Log360 before Build 5219 allows unrestricted file upload with resultant remote code execution.

  • CVE-2021-40177Aug 29, 2021
    risk 0.01cvss epss 0.05

    Zoho ManageEngine Log360 before Build 5225 allows remote code execution via BCP file overwrite.

  • CVE-2021-33911Jul 17, 2021
    risk 0.01cvss epss 0.05

    Zoho ManageEngine ADManager Plus before 7110 allows remote code execution.

  • CVE-2021-28382Jun 7, 2021
    risk 0.01cvss epss 0.01

    Zoho ManageEngine Key Manager Plus before 6001 allows Stored XSS on the user-management page while importing malicious user details from AD.

  • CVE-2020-29658Mar 5, 2021
    risk 0.01cvss epss 0.04

    Zoho ManageEngine Application Control Plus before 100523 has an insecure SSL configuration setting for Nginx, leading to Privilege Escalation.

  • CVE-2021-27214Feb 19, 2021
    risk 0.01cvss epss 0.02

    A Server-side request forgery (SSRF) vulnerability in the ProductConfig servlet in Zoho ManageEngine ADSelfService Plus through 6013 allows a remote unauthenticated attacker to perform blind HTTP requests or perform a Cross-site scripting (XSS) attack against the administrative…

  • CVE-2019-16268Feb 3, 2021
    risk 0.01cvss epss 0.02

    Zoho ManageEngine Remote Access Plus 10.0.259 allows HTML injection via the Description field on the Admin - User Administration userMgmt.do?actionToCall=ShowUser screen.

  • CVE-2020-24397Oct 2, 2020
    risk 0.01cvss epss 0.28

    An issue was discovered in the client side of Zoho ManageEngine Desktop Central 10.0.0.SP-534. An attacker-controlled server can trigger an integer overflow in InternetSendRequestEx and InternetSendRequestByBitrate that leads to a heap-based buffer overflow and Remote Code…

  • CVE-2020-15533Oct 1, 2020
    risk 0.01cvss epss 0.04

    In Zoho ManageEngine Application Manager 14.7 Build 14730 (before 14684, and between 14689 and 14750), the AlarmEscalation module is vulnerable to unauthenticated SQL Injection attack.

  • CVE-2020-15521Sep 25, 2020
    risk 0.01cvss epss 0.02

    Zoho ManageEngine Applications Manager before 14 build 14730 has no protection against jsp/header.jsp Cross-site Scripting (XSS) .

  • CVE-2020-11518Apr 4, 2020
    risk 0.01cvss epss 0.19

    Zoho ManageEngine ADSelfService Plus before 5815 allows unauthenticated remote code execution.

  • CVE-2024-27313May 29, 2024
    risk 0.00cvss epss 0.01

    Zoho ManageEngine PAM360 is vulnerable to Stored XSS vulnerability. This vulnerability is applicable only in the version 6610.

  • CVE-2024-36037May 27, 2024
    risk 0.00cvss epss 0.00

    Zoho ManageEngine ADAudit Plus versions 7260 and below allows unauthorized local agent machine users to view the session recordings.

  • CVE-2024-36036May 27, 2024
    risk 0.00cvss epss 0.00

    Zoho ManageEngine ADAudit Plus versions 7260 and below allows unauthorized local agent machine users to access sensitive information and modifying the agent configuration.

  • CVE-2024-21791May 22, 2024
    risk 0.00cvss epss 0.02

    Zoho ManageEngine ADAudit Plus versions below 7271 allows SQL Injection in lockout history option. Note: Non-admin users cannot exploit this vulnerability.