VYPR

Vendor CVEs

Zoho

All CVEs

239 total · sorted by risk
  • CVE-2021-36772Jul 17, 2021
    risk 0.00cvss epss 0.01

    Zoho ManageEngine ADManager Plus before 7110 allows stored XSS.

  • CVE-2021-31874Jul 2, 2021
    risk 0.00cvss epss 0.04

    Zoho ManageEngine ADSelfService Plus before 6104, in rare situations, allows attackers to obtain sensitive information about the password-sync database application.

  • CVE-2021-27956May 20, 2021
    risk 0.00cvss epss 0.02

    Zoho ManageEngine ADSelfService Plus before 6104 allows stored XSS on the /webclient/index.html#/directory-search user search page via the e-mail address field.

  • CVE-2020-28050Mar 5, 2021
    risk 0.00cvss epss 0.05

    Zoho ManageEngine Desktop Central before build 10.0.647 allows a single authentication secret from multiple agents to communicate with the server.

  • CVE-2020-35594Mar 5, 2021
    risk 0.00cvss epss 0.01

    Zoho ManageEngine ADManager Plus before 7066 allows XSS.

  • CVE-2020-27733Jan 19, 2021
    risk 0.00cvss epss 0.09

    Zoho ManageEngine Applications Manager before 14 build 14880 allows an authenticated SQL Injection via a crafted Alarmview request.

  • CVE-2020-16267Oct 6, 2020
    risk 0.00cvss epss 0.43

    Zoho ManageEngine Applications Manager version 14740 and prior allows an authenticated SQL Injection via a crafted jsp request in the RCA module.

  • CVE-2020-15927Oct 6, 2020
    risk 0.00cvss epss 0.40

    Zoho ManageEngine Applications Manager version 14740 and prior allows an authenticated SQL Injection via a crafted jsp request in the SAP module.

  • CVE-2020-15589Oct 2, 2020
    risk 0.00cvss epss 0.08

    A design issue was discovered in GetInternetRequestHandle, InternetSendRequestEx and InternetSendRequestByBitrate in the client side of Zoho ManageEngine Desktop Central 10.0.552.W and Remote Access Plus before 10.1.2119.1. By exploiting this issue, an attacker-controlled server…

  • CVE-2020-15588Jul 29, 2020
    risk 0.00cvss epss 0.13

    An issue was discovered in the client side of Zoho ManageEngine Desktop Central 10.0.552.W. An attacker-controlled server can trigger an integer overflow in InternetSendRequestEx and InternetSendRequestByBitrate that leads to a heap-based buffer overflow and Remote Code…

  • CVE-2020-13154May 18, 2020
    risk 0.00cvss epss 0.03

    Zoho ManageEngine Service Plus before 11.1 build 11112 allows low-privilege authenticated users to discover the File Protection password via a getFileProtectionSettings call to AjaxServlet.

  • CVE-2020-10859May 5, 2020
    risk 0.00cvss epss 0.04

    Zoho ManageEngine Desktop Central before 10.0.484 allows authenticated arbitrary file writes during ZIP archive extraction via Directory Traversal in a crafted AppDependency API request.

  • CVE-2019-15510Mar 23, 2020
    risk 0.00cvss epss 0.03

    ManageEngine_DesktopCentral.exe in Zoho ManageEngine Desktop Central 10 allows HTML injection on the user administration page via the description of a role.

  • CVE-2019-11361Mar 19, 2020
    risk 0.00cvss epss 0.03

    Zoho ManageEngine Remote Access Plus 10.0.258 does not validate user permissions properly, allowing for privilege escalation and eventually a full application takeover.

  • CVE-2019-20474Feb 17, 2020
    risk 0.00cvss epss 0.01

    An issue was discovered in Zoho ManageEngine Remote Access Plus 10.0.447. The service to test the mail-server configuration suffers from an authorization issue allowing a user with the Guest role (read-only access) to use and abuse it. One of the abuses allows performing network…

  • CVE-2020-8422Jan 31, 2020
    risk 0.00cvss epss 0.01

    An authorization issue was discovered in the Credential Manager feature in Zoho ManageEngine Remote Access Plus before 10.0.450. A user with the Guest role can extract the collection of all defined credentials of remote machines: the credential name, credential type, user name,…

  • CVE-2020-6843Jan 23, 2020
    risk 0.00cvss epss 0.02

    Zoho ManageEngine ServiceDesk Plus 11.0 Build 11007 allows XSS. This issue was fixed in version 11.0 Build 11010, SD-83959.

  • CVE-2019-19306Nov 26, 2019
    risk 0.00cvss epss 0.01

    The Zoho CRM Lead Magnet plugin 1.6.9.1 for WordPress allows XSS via module, EditShortcode, or LayoutName.

  • CVE-2019-15645Aug 27, 2019
    risk 0.00cvss epss 0.01

    The zoho-salesiq plugin before 1.0.9 for WordPress has CSRF.

  • CVE-2019-15644Aug 27, 2019
    risk 0.00cvss epss 0.01

    The zoho-salesiq plugin before 1.0.9 for WordPress has stored XSS.

  • CVE-2019-12876Jul 17, 2019
    risk 0.00cvss epss 0.05

    Zoho ManageEngine ADManager Plus 6.6.5, ADSelfService Plus 5.7, and DesktopCentral 10.0.380 have Insecure Permissions, leading to Privilege Escalation from low level privileges to System.

  • CVE-2019-5962Jul 5, 2019
    risk 0.00cvss epss 0.02

    Cross-site scripting vulnerability in Zoho SalesIQ 1.0.8 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

  • CVE-2019-5963Jul 5, 2019
    risk 0.00cvss epss 0.01

    Cross-site request forgery (CSRF) vulnerability in Zoho SalesIQ 1.0.8 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors.

  • CVE-2019-7427May 7, 2019
    risk 0.00cvss epss 0.03

    XSS exists in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 in the Administration zone "/netflow/jspui/linkdownalertConfig.jsp" file in the autorefTime or graphTypes parameter.

  • CVE-2019-7426May 7, 2019
    risk 0.00cvss epss 0.03

    XSS exists in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 in the Administration zone "/netflow/jspui/linkdownalertConfig.jsp" file in the groupDesc, groupName, groupID, or task parameter.

  • CVE-2019-7424Mar 17, 2019
    risk 0.00cvss epss 0.03

    XSS exists in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 in the Administration zone "/netflow/jspui/index.jsp" file in the view GET parameter or any of these POST parameters: autorefTime, section, snapshot, viewOpt, viewAll, view, or groupSelName. The latter is…

  • CVE-2019-7423Mar 17, 2019
    risk 0.00cvss epss 0.03

    XSS exists in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 in the Administration zone "/netflow/jspui/editProfile.jsp" file in the userName parameter.

  • CVE-2019-7422Mar 17, 2019
    risk 0.00cvss epss 0.03

    XSS exists in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 in the Administration zone "/netflow/jspui/addMailSettings.jsp" file in the gF parameter.

  • CVE-2015-4418Jun 9, 2015
    risk 0.00cvss epss 0.03

    Zoho NetFlow Analyzer build 10250 and earlier does not have an off autocomplete attribute for a password field, which makes it easier for remote attackers to obtain access by leveraging an unattended workstation.

  • CVE-2015-2961Jun 9, 2015
    risk 0.00cvss epss 0.02

    Cross-site request forgery (CSRF) vulnerability in Zoho NetFlow Analyzer build 10250 and earlier allows remote attackers to hijack the authentication of administrators.

  • CVE-2015-2960Jun 9, 2015
    risk 0.00cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in Zoho NetFlow Analyzer build 10250 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

  • CVE-2015-2959Jun 9, 2015
    risk 0.00cvss epss 0.03

    Zoho NetFlow Analyzer build 10250 and earlier does not check for administrative authorization, which allows remote attackers to obtain sensitive information, modify passwords, or remove accounts by leveraging the guest role.

  • CVE-2015-1026Mar 11, 2015
    risk 0.00cvss epss 0.04

    Multiple cross-site scripting (XSS) vulnerabilities in ZOHO ManageEngine ADManager Plus before 6.2 Build 6270 allow remote attackers to inject arbitrary web script or HTML via the (1) technicianSearchText parameter to the Help Desk Technician page or (2) rolesSearchText…

  • CVE-2015-0866Feb 2, 2015
    risk 0.00cvss epss 0.02

    Multiple cross-site scripting (XSS) vulnerabilities in Zoho ManageEngine SupportCenter Plus 7.9 before hotfix 7941 allow remote attackers to inject arbitrary web script or HTML via the (1) fromCustomer, (2) username, or (3) password parameter to HomePage.do.

  • CVE-2014-3779Jan 7, 2015
    risk 0.00cvss epss 0.04

    Cross-site scripting (XSS) vulnerability in ZOHO ManageEngine ADSelfService Plus before 5.2 Build 5202 allows remote attackers to inject arbitrary web script or HTML via the name parameter to GroupSubscription.do.

  • CVE-2014-6686Sep 23, 2014
    risk 0.00cvss epss 0.00

    The Zoho Books - Accounting App (aka com.zoho.books) application 3.1.9 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

  • CVE-2014-5103Jul 25, 2014
    risk 0.00cvss epss 0.04

    Cross-site scripting (XSS) vulnerability in ZOHO ManageEngine EventLog Analyzer 9 build 9000 allows remote attackers to inject arbitrary web script or HTML via the j_username parameter to event/j_security_check. Fixed in Version 10 Build 10000.

  • CVE-2014-2670Mar 29, 2014
    risk 0.00cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in Properties.do in ZOHO ManageEngine OpStor before build 8500 allows remote authenticated users to inject arbitrary web script or HTML via the name parameter, a different vulnerability than CVE-2014-0344.

  • CVE-2006-3842Jul 25, 2006
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in Zoho Virtual Office 3.2 Build 3210 allows remote attackers to execute arbitrary web script or HTML via an HTML message.

Page 5 of 5