Vendor CVEs
Zoho
All CVEs
239 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-49335 | 0.00 | — | 0.03 | May 20, 2024 | Zoho ManageEngine ADAudit Plus versions below 7271 allows SQL injection while getting file server details. | |||
| CVE-2023-49334 | 0.00 | — | 0.03 | May 20, 2024 | Zoho ManageEngine ADAudit Plus versions below 7271 allows SQL Injection while exporting a full summary report. | |||
| CVE-2023-49333 | 0.00 | — | 0.03 | May 20, 2024 | Zoho ManageEngine ADAudit Plus versions below 7271 allows SQL injection in the dashboard graph feature. | |||
| CVE-2023-49332 | 0.00 | — | 0.03 | May 20, 2024 | Zoho ManageEngine ADAudit Plus versions below 7271 allows SQL injection while adding file shares. | |||
| CVE-2023-49331 | 0.00 | — | 0.03 | May 20, 2024 | Zoho ManageEngine ADAudit Plus versions below 7271 allows SQL injection in the aggregate reports search option. | |||
| CVE-2023-49330 | 0.00 | — | 0.02 | May 20, 2024 | Zoho ManageEngine ADAudit Plus versions below 7271 allows SQL Injection while getting aggregate report data. | |||
| CVE-2023-50785 | 0.00 | — | 0.02 | Jan 25, 2024 | Zoho ManageEngine ADAudit Plus before 7270 allows admin users to view names of arbitrary directories via path traversal. | |||
| CVE-2023-41904 | 0.00 | — | 0.02 | Sep 26, 2023 | Zoho ManageEngine ADManager Plus before 7203 allows 2FA bypass (for AuthToken generation) in REST APIs. | |||
| CVE-2023-39912 | 0.00 | — | 0.04 | Aug 31, 2023 | Zoho ManageEngine ADManager Plus before 7203 allows Help Desk Technician users to read arbitrary files on the machine where this product is installed. | |||
| CVE-2023-31492 | 0.00 | — | 0.05 | Aug 17, 2023 | Zoho ManageEngine ADManager Plus version 7182 and prior disclosed the default passwords for the account restoration of unauthorized domains to the authenticated users. | |||
| CVE-2023-32783 | 0.00 | — | 0.03 | Aug 7, 2023 | The event analysis component in Zoho ManageEngine ADAudit Plus 7.1.1 allows an attacker to bypass audit detection by creating or renaming user accounts with a "$" symbol suffix. NOTE: the vendor states "We do not consider this as a security bug and it's an expected behaviour." | |||
| CVE-2023-38332 | 0.00 | — | 0.03 | Aug 4, 2023 | Zoho ManageEngine ADManager Plus through 7201 allow authenticated users to take over another user's account via sensitive information disclosure. | |||
| CVE-2023-37308 | 0.00 | — | 0.02 | Jul 7, 2023 | Zoho ManageEngine ADAudit Plus before 7100 allows XSS via the username field. | |||
| CVE-2023-35854 | 0.00 | — | 0.06 | Jun 20, 2023 | Zoho ManageEngine ADSelfService Plus through 6113 has an authentication bypass that can be exploited to steal the domain controller session token for identity spoofing, thereby achieving the privileges of the domain controller administrator. NOTE: the vendor's perspective is… | |||
| CVE-2022-47577 | 0.00 | — | 0.01 | Dec 20, 2022 | An issue was discovered in the endpoint protection agent in Zoho ManageEngine Device Control Plus 10.1.2228.15. Despite configuring complete restrictions on USB pendrives, USB HDD devices, memory cards, USB connections to mobile devices, etc., it is still possible to bypass the… | |||
| CVE-2022-41978 | 0.00 | — | 0.03 | Nov 9, 2022 | Auth. (subscriber+) Arbitrary Options Update vulnerability in Zoho CRM Lead Magnet plugin <= 1.7.5.8 on WordPress. | |||
| CVE-2020-21641 | 0.00 | — | 0.04 | Aug 15, 2022 | Out-of-Band XML External Entity (OOB-XXE) vulnerability in Zoho ManageEngine Analytics Plus before 4.3.5 allows remote attackers to read arbitrary files, enumerate folders and scan internal ports via crafted XML license file. | |||
| CVE-2022-35403 | 0.00 | — | 0.07 | Jul 12, 2022 | Zoho ManageEngine ServiceDesk Plus before 13008, ServiceDesk Plus MSP before 10606, and SupportCenter Plus before 11022 are affected by an unauthenticated local file disclosure vulnerability via ticket-creation email. (This also affects Asset Explorer before 6977 with… | |||
| CVE-2022-32551 | 0.00 | — | 0.03 | Jul 1, 2022 | Zoho ManageEngine ServiceDesk Plus MSP before 10604 allows path traversal (to WEBINF/web.xml from sample/WEB-INF/web.xml or sample/META-INF/web.xml). | |||
| CVE-2022-27908 | 0.00 | — | 0.37 | Apr 18, 2022 | Zoho ManageEngine OpManager before 125588 (and before 125603) is vulnerable to authenticated SQL Injection in the Inventory Reports module. | |||
| CVE-2022-26653 | 0.00 | — | 0.02 | Apr 16, 2022 | Zoho ManageEngine Remote Access Plus before 10.1.2137.15 allows guest users to view domain details (such as the username and GUID of an administrator). | |||
| CVE-2022-25245 | 0.00 | — | 0.01 | Apr 5, 2022 | Zoho ManageEngine ServiceDesk Plus before 13001 allows anyone to know the organisation's default currency name. | |||
| CVE-2022-24978 | 0.00 | — | 0.01 | Apr 5, 2022 | Zoho ManageEngine ADAudit Plus before 7055 allows authenticated Privilege Escalation on Integrated products. This occurs because a password field is present in a JSON response. | |||
| CVE-2022-24447 | 0.00 | — | 0.01 | Mar 2, 2022 | An issue was discovered in Zoho ManageEngine Key Manager Plus before 6200. A service exposed by the application allows a user, with the level Operator, to access stored SSL certificates and associated key pairs during export. | |||
| CVE-2022-24446 | 0.00 | — | 0.01 | Mar 1, 2022 | An issue was discovered in Zoho ManageEngine Key Manager Plus 6.1.6. A user, with the level Operator, can see all SSH servers (and user information) even if no SSH server or user is associated to the operator. | |||
| CVE-2022-23863 | 0.00 | — | 0.02 | Jan 28, 2022 | Zoho ManageEngine Desktop Central before 10.1.2137.10 allows an authenticated user to change any user's login password. | |||
| CVE-2021-44652 | 0.00 | — | 0.03 | Jan 12, 2022 | Zoho ManageEngine O365 Manager Plus before Build 4416 allows remote code execution via BCP file overwrite through the ChangeDBAPI component. | |||
| CVE-2021-44650 | 0.00 | — | 0.05 | Jan 12, 2022 | Zoho ManageEngine M365 Manager Plus before Build 4419 allows remote command execution when updating proxy settings through the Admin ProxySettings and Tenant ProxySettings components. | |||
| CVE-2020-28679 | 0.00 | — | 0.03 | Jan 10, 2022 | A vulnerability in the showReports module of Zoho ManageEngine Applications Manager before build 14550 allows authenticated attackers to execute a SQL injection via a crafted request. | |||
| CVE-2021-46165 | 0.00 | — | 0.00 | Jan 9, 2022 | Zoho ManageEngine Desktop Central before 10.0.662, during startup, launches an executable file from the batch files, but this file's path might not be properly defined. | |||
| CVE-2021-44526 | 0.00 | — | 0.03 | Dec 23, 2021 | Zoho ManageEngine ServiceDesk Plus before 12003 allows authentication bypass in certain admin configurations. | |||
| CVE-2021-44525 | 0.00 | — | 0.03 | Dec 20, 2021 | Zoho ManageEngine PAM360 before build 5303 allows attackers to modify a few aspects of application state because of a filter bypass in which authentication is not required. | |||
| CVE-2021-44675 | 0.00 | — | 0.06 | Dec 20, 2021 | Zoho ManageEngine ServiceDesk Plus MSP before 10.5 Build 10534 is vulnerable to unauthenticated remote code execution due to a filter bypass in which authentication is not required. | |||
| CVE-2021-42955 | 0.00 | — | 0.00 | Nov 17, 2021 | Zoho Remote Access Plus Server Windows Desktop binary fixed in version 10.1.2132 is affected by an unauthorized password reset vulnerability. Because of the designed password reset mechanism, any non-admin Windows user can reset the password of the Remote Access Plus Server… | |||
| CVE-2021-42954 | 0.00 | — | 0.00 | Nov 17, 2021 | Zoho Remote Access Plus Server Windows Desktop Binary fixed from 10.1.2121.1 is affected by incorrect access control. The installation directory is vulnerable to weak file permissions by allowing full control for Windows Everyone user group (non-admin or any guest users),… | |||
| CVE-2021-42956 | 0.00 | — | 0.01 | Nov 17, 2021 | Zoho Remote Access Plus Server Windows Desktop Binary fixed in 10.1.2132.6 is affected by a sensitive information disclosure vulnerability. Due to improper privilege management, the process launches as the logged in user, so memory dump can be done by non-admin also. Remotely,… | |||
| CVE-2021-35512 | 0.00 | — | 0.02 | Oct 21, 2021 | An SSRF issue was discovered in Zoho ManageEngine Applications Manager build 15200. | |||
| CVE-2021-38298 | 0.00 | — | 0.03 | Oct 7, 2021 | Zoho ManageEngine ADManager Plus before 7110 is vulnerable to blind XXE. | |||
| CVE-2021-33849 | 0.00 | — | 0.01 | Oct 5, 2021 | A Cross-Site Scripting (XSS) attack can cause arbitrary code (JavaScript) to run in a user’s browser while the browser is connected to a trusted website. The attack targets your application's users and not the application itself while using your application as the attack's… | |||
| CVE-2021-41829 | 0.00 | — | 0.03 | Sep 30, 2021 | Zoho ManageEngine Remote Access Plus before 10.1.2121.1 relies on the application's build number to calculate a certain encryption key. | |||
| CVE-2021-37927 | 0.00 | — | 0.02 | Sep 22, 2021 | Zoho ManageEngine ADManager Plus version 7110 and prior allows account takeover via SSO. | |||
| CVE-2021-37420 | 0.00 | — | 0.02 | Sep 21, 2021 | Zoho ManageEngine ADSelfService Plus before 6112 is vulnerable to mail spoofing. | |||
| CVE-2021-37414 | 0.00 | — | 0.05 | Sep 10, 2021 | Zoho ManageEngine DesktopCentral before 10.0.709 allows anyone to get a valid user's APIKEY without authentication. | |||
| CVE-2021-40172 | 0.00 | — | 0.01 | Aug 29, 2021 | Zoho ManageEngine Log360 before Build 5219 allows a CSRF attack on proxy settings. | |||
| CVE-2021-40174 | 0.00 | — | 0.01 | Aug 29, 2021 | Zoho ManageEngine Log360 before Build 5224 allows a CSRF attack for disabling the logon security settings. | |||
| CVE-2021-40176 | 0.00 | — | 0.01 | Aug 29, 2021 | Zoho ManageEngine Log360 before Build 5225 allows stored XSS. | |||
| CVE-2021-20110 | 0.00 | — | 0.07 | Jul 19, 2021 | Due to Manage Engine Asset Explorer Agent 1.0.34 not validating HTTPS certificates, an attacker on the network can statically configure their IP address to match the Asset Explorer's Server IP address. This will allow an attacker to send a NEWSCAN request to a listening agent on… | |||
| CVE-2021-20108 | 0.00 | — | 0.03 | Jul 19, 2021 | Manage Engine Asset Explorer Agent 1.0.34 listens on port 9000 for incoming commands over HTTPS from Manage Engine Server. The HTTPS certificates are not verified which allows any arbitrary user on the network to send commands over port 9000. While these commands may not be… | |||
| CVE-2021-20109 | 0.00 | — | 0.01 | Jul 19, 2021 | Due to the Asset Explorer agent not validating HTTPS certificates, an attacker on the network can statically configure their IP address to match the Asset Explorer's Server IP address. This will allow an attacker to send a NEWSCAN request to a listening agent on the network as… | |||
| CVE-2021-36771 | 0.00 | — | 0.01 | Jul 17, 2021 | Zoho ManageEngine ADManager Plus before 7110 allows reflected XSS. |
- CVE-2023-49335May 20, 2024risk 0.00cvss —epss 0.03
Zoho ManageEngine ADAudit Plus versions below 7271 allows SQL injection while getting file server details.
- CVE-2023-49334May 20, 2024risk 0.00cvss —epss 0.03
Zoho ManageEngine ADAudit Plus versions below 7271 allows SQL Injection while exporting a full summary report.
- CVE-2023-49333May 20, 2024risk 0.00cvss —epss 0.03
Zoho ManageEngine ADAudit Plus versions below 7271 allows SQL injection in the dashboard graph feature.
- CVE-2023-49332May 20, 2024risk 0.00cvss —epss 0.03
Zoho ManageEngine ADAudit Plus versions below 7271 allows SQL injection while adding file shares.
- CVE-2023-49331May 20, 2024risk 0.00cvss —epss 0.03
Zoho ManageEngine ADAudit Plus versions below 7271 allows SQL injection in the aggregate reports search option.
- CVE-2023-49330May 20, 2024risk 0.00cvss —epss 0.02
Zoho ManageEngine ADAudit Plus versions below 7271 allows SQL Injection while getting aggregate report data.
- CVE-2023-50785Jan 25, 2024risk 0.00cvss —epss 0.02
Zoho ManageEngine ADAudit Plus before 7270 allows admin users to view names of arbitrary directories via path traversal.
- CVE-2023-41904Sep 26, 2023risk 0.00cvss —epss 0.02
Zoho ManageEngine ADManager Plus before 7203 allows 2FA bypass (for AuthToken generation) in REST APIs.
- CVE-2023-39912Aug 31, 2023risk 0.00cvss —epss 0.04
Zoho ManageEngine ADManager Plus before 7203 allows Help Desk Technician users to read arbitrary files on the machine where this product is installed.
- CVE-2023-31492Aug 17, 2023risk 0.00cvss —epss 0.05
Zoho ManageEngine ADManager Plus version 7182 and prior disclosed the default passwords for the account restoration of unauthorized domains to the authenticated users.
- CVE-2023-32783Aug 7, 2023risk 0.00cvss —epss 0.03
The event analysis component in Zoho ManageEngine ADAudit Plus 7.1.1 allows an attacker to bypass audit detection by creating or renaming user accounts with a "$" symbol suffix. NOTE: the vendor states "We do not consider this as a security bug and it's an expected behaviour."
- CVE-2023-38332Aug 4, 2023risk 0.00cvss —epss 0.03
Zoho ManageEngine ADManager Plus through 7201 allow authenticated users to take over another user's account via sensitive information disclosure.
- CVE-2023-37308Jul 7, 2023risk 0.00cvss —epss 0.02
Zoho ManageEngine ADAudit Plus before 7100 allows XSS via the username field.
- CVE-2023-35854Jun 20, 2023risk 0.00cvss —epss 0.06
Zoho ManageEngine ADSelfService Plus through 6113 has an authentication bypass that can be exploited to steal the domain controller session token for identity spoofing, thereby achieving the privileges of the domain controller administrator. NOTE: the vendor's perspective is…
- CVE-2022-47577Dec 20, 2022risk 0.00cvss —epss 0.01
An issue was discovered in the endpoint protection agent in Zoho ManageEngine Device Control Plus 10.1.2228.15. Despite configuring complete restrictions on USB pendrives, USB HDD devices, memory cards, USB connections to mobile devices, etc., it is still possible to bypass the…
- CVE-2022-41978Nov 9, 2022risk 0.00cvss —epss 0.03
Auth. (subscriber+) Arbitrary Options Update vulnerability in Zoho CRM Lead Magnet plugin <= 1.7.5.8 on WordPress.
- CVE-2020-21641Aug 15, 2022risk 0.00cvss —epss 0.04
Out-of-Band XML External Entity (OOB-XXE) vulnerability in Zoho ManageEngine Analytics Plus before 4.3.5 allows remote attackers to read arbitrary files, enumerate folders and scan internal ports via crafted XML license file.
- CVE-2022-35403Jul 12, 2022risk 0.00cvss —epss 0.07
Zoho ManageEngine ServiceDesk Plus before 13008, ServiceDesk Plus MSP before 10606, and SupportCenter Plus before 11022 are affected by an unauthenticated local file disclosure vulnerability via ticket-creation email. (This also affects Asset Explorer before 6977 with…
- CVE-2022-32551Jul 1, 2022risk 0.00cvss —epss 0.03
Zoho ManageEngine ServiceDesk Plus MSP before 10604 allows path traversal (to WEBINF/web.xml from sample/WEB-INF/web.xml or sample/META-INF/web.xml).
- CVE-2022-27908Apr 18, 2022risk 0.00cvss —epss 0.37
Zoho ManageEngine OpManager before 125588 (and before 125603) is vulnerable to authenticated SQL Injection in the Inventory Reports module.
- CVE-2022-26653Apr 16, 2022risk 0.00cvss —epss 0.02
Zoho ManageEngine Remote Access Plus before 10.1.2137.15 allows guest users to view domain details (such as the username and GUID of an administrator).
- CVE-2022-25245Apr 5, 2022risk 0.00cvss —epss 0.01
Zoho ManageEngine ServiceDesk Plus before 13001 allows anyone to know the organisation's default currency name.
- CVE-2022-24978Apr 5, 2022risk 0.00cvss —epss 0.01
Zoho ManageEngine ADAudit Plus before 7055 allows authenticated Privilege Escalation on Integrated products. This occurs because a password field is present in a JSON response.
- CVE-2022-24447Mar 2, 2022risk 0.00cvss —epss 0.01
An issue was discovered in Zoho ManageEngine Key Manager Plus before 6200. A service exposed by the application allows a user, with the level Operator, to access stored SSL certificates and associated key pairs during export.
- CVE-2022-24446Mar 1, 2022risk 0.00cvss —epss 0.01
An issue was discovered in Zoho ManageEngine Key Manager Plus 6.1.6. A user, with the level Operator, can see all SSH servers (and user information) even if no SSH server or user is associated to the operator.
- CVE-2022-23863Jan 28, 2022risk 0.00cvss —epss 0.02
Zoho ManageEngine Desktop Central before 10.1.2137.10 allows an authenticated user to change any user's login password.
- CVE-2021-44652Jan 12, 2022risk 0.00cvss —epss 0.03
Zoho ManageEngine O365 Manager Plus before Build 4416 allows remote code execution via BCP file overwrite through the ChangeDBAPI component.
- CVE-2021-44650Jan 12, 2022risk 0.00cvss —epss 0.05
Zoho ManageEngine M365 Manager Plus before Build 4419 allows remote command execution when updating proxy settings through the Admin ProxySettings and Tenant ProxySettings components.
- CVE-2020-28679Jan 10, 2022risk 0.00cvss —epss 0.03
A vulnerability in the showReports module of Zoho ManageEngine Applications Manager before build 14550 allows authenticated attackers to execute a SQL injection via a crafted request.
- CVE-2021-46165Jan 9, 2022risk 0.00cvss —epss 0.00
Zoho ManageEngine Desktop Central before 10.0.662, during startup, launches an executable file from the batch files, but this file's path might not be properly defined.
- CVE-2021-44526Dec 23, 2021risk 0.00cvss —epss 0.03
Zoho ManageEngine ServiceDesk Plus before 12003 allows authentication bypass in certain admin configurations.
- CVE-2021-44525Dec 20, 2021risk 0.00cvss —epss 0.03
Zoho ManageEngine PAM360 before build 5303 allows attackers to modify a few aspects of application state because of a filter bypass in which authentication is not required.
- CVE-2021-44675Dec 20, 2021risk 0.00cvss —epss 0.06
Zoho ManageEngine ServiceDesk Plus MSP before 10.5 Build 10534 is vulnerable to unauthenticated remote code execution due to a filter bypass in which authentication is not required.
- CVE-2021-42955Nov 17, 2021risk 0.00cvss —epss 0.00
Zoho Remote Access Plus Server Windows Desktop binary fixed in version 10.1.2132 is affected by an unauthorized password reset vulnerability. Because of the designed password reset mechanism, any non-admin Windows user can reset the password of the Remote Access Plus Server…
- CVE-2021-42954Nov 17, 2021risk 0.00cvss —epss 0.00
Zoho Remote Access Plus Server Windows Desktop Binary fixed from 10.1.2121.1 is affected by incorrect access control. The installation directory is vulnerable to weak file permissions by allowing full control for Windows Everyone user group (non-admin or any guest users),…
- CVE-2021-42956Nov 17, 2021risk 0.00cvss —epss 0.01
Zoho Remote Access Plus Server Windows Desktop Binary fixed in 10.1.2132.6 is affected by a sensitive information disclosure vulnerability. Due to improper privilege management, the process launches as the logged in user, so memory dump can be done by non-admin also. Remotely,…
- CVE-2021-35512Oct 21, 2021risk 0.00cvss —epss 0.02
An SSRF issue was discovered in Zoho ManageEngine Applications Manager build 15200.
- CVE-2021-38298Oct 7, 2021risk 0.00cvss —epss 0.03
Zoho ManageEngine ADManager Plus before 7110 is vulnerable to blind XXE.
- CVE-2021-33849Oct 5, 2021risk 0.00cvss —epss 0.01
A Cross-Site Scripting (XSS) attack can cause arbitrary code (JavaScript) to run in a user’s browser while the browser is connected to a trusted website. The attack targets your application's users and not the application itself while using your application as the attack's…
- CVE-2021-41829Sep 30, 2021risk 0.00cvss —epss 0.03
Zoho ManageEngine Remote Access Plus before 10.1.2121.1 relies on the application's build number to calculate a certain encryption key.
- CVE-2021-37927Sep 22, 2021risk 0.00cvss —epss 0.02
Zoho ManageEngine ADManager Plus version 7110 and prior allows account takeover via SSO.
- CVE-2021-37420Sep 21, 2021risk 0.00cvss —epss 0.02
Zoho ManageEngine ADSelfService Plus before 6112 is vulnerable to mail spoofing.
- CVE-2021-37414Sep 10, 2021risk 0.00cvss —epss 0.05
Zoho ManageEngine DesktopCentral before 10.0.709 allows anyone to get a valid user's APIKEY without authentication.
- CVE-2021-40172Aug 29, 2021risk 0.00cvss —epss 0.01
Zoho ManageEngine Log360 before Build 5219 allows a CSRF attack on proxy settings.
- CVE-2021-40174Aug 29, 2021risk 0.00cvss —epss 0.01
Zoho ManageEngine Log360 before Build 5224 allows a CSRF attack for disabling the logon security settings.
- CVE-2021-40176Aug 29, 2021risk 0.00cvss —epss 0.01
Zoho ManageEngine Log360 before Build 5225 allows stored XSS.
- CVE-2021-20110Jul 19, 2021risk 0.00cvss —epss 0.07
Due to Manage Engine Asset Explorer Agent 1.0.34 not validating HTTPS certificates, an attacker on the network can statically configure their IP address to match the Asset Explorer's Server IP address. This will allow an attacker to send a NEWSCAN request to a listening agent on…
- CVE-2021-20108Jul 19, 2021risk 0.00cvss —epss 0.03
Manage Engine Asset Explorer Agent 1.0.34 listens on port 9000 for incoming commands over HTTPS from Manage Engine Server. The HTTPS certificates are not verified which allows any arbitrary user on the network to send commands over port 9000. While these commands may not be…
- CVE-2021-20109Jul 19, 2021risk 0.00cvss —epss 0.01
Due to the Asset Explorer agent not validating HTTPS certificates, an attacker on the network can statically configure their IP address to match the Asset Explorer's Server IP address. This will allow an attacker to send a NEWSCAN request to a listening agent on the network as…
- CVE-2021-36771Jul 17, 2021risk 0.00cvss —epss 0.01
Zoho ManageEngine ADManager Plus before 7110 allows reflected XSS.
Page 4 of 5