Vendor CVEs
Zoho
All CVEs
239 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-36772 | 0.00 | — | 0.01 | Jul 17, 2021 | Zoho ManageEngine ADManager Plus before 7110 allows stored XSS. | |||
| CVE-2021-31874 | 0.00 | — | 0.04 | Jul 2, 2021 | Zoho ManageEngine ADSelfService Plus before 6104, in rare situations, allows attackers to obtain sensitive information about the password-sync database application. | |||
| CVE-2021-27956 | 0.00 | — | 0.02 | May 20, 2021 | Zoho ManageEngine ADSelfService Plus before 6104 allows stored XSS on the /webclient/index.html#/directory-search user search page via the e-mail address field. | |||
| CVE-2020-28050 | 0.00 | — | 0.05 | Mar 5, 2021 | Zoho ManageEngine Desktop Central before build 10.0.647 allows a single authentication secret from multiple agents to communicate with the server. | |||
| CVE-2020-35594 | 0.00 | — | 0.01 | Mar 5, 2021 | Zoho ManageEngine ADManager Plus before 7066 allows XSS. | |||
| CVE-2020-27733 | 0.00 | — | 0.09 | Jan 19, 2021 | Zoho ManageEngine Applications Manager before 14 build 14880 allows an authenticated SQL Injection via a crafted Alarmview request. | |||
| CVE-2020-16267 | 0.00 | — | 0.43 | Oct 6, 2020 | Zoho ManageEngine Applications Manager version 14740 and prior allows an authenticated SQL Injection via a crafted jsp request in the RCA module. | |||
| CVE-2020-15927 | 0.00 | — | 0.40 | Oct 6, 2020 | Zoho ManageEngine Applications Manager version 14740 and prior allows an authenticated SQL Injection via a crafted jsp request in the SAP module. | |||
| CVE-2020-15589 | 0.00 | — | 0.08 | Oct 2, 2020 | A design issue was discovered in GetInternetRequestHandle, InternetSendRequestEx and InternetSendRequestByBitrate in the client side of Zoho ManageEngine Desktop Central 10.0.552.W and Remote Access Plus before 10.1.2119.1. By exploiting this issue, an attacker-controlled server… | |||
| CVE-2020-15588 | 0.00 | — | 0.13 | Jul 29, 2020 | An issue was discovered in the client side of Zoho ManageEngine Desktop Central 10.0.552.W. An attacker-controlled server can trigger an integer overflow in InternetSendRequestEx and InternetSendRequestByBitrate that leads to a heap-based buffer overflow and Remote Code… | |||
| CVE-2020-13154 | 0.00 | — | 0.03 | May 18, 2020 | Zoho ManageEngine Service Plus before 11.1 build 11112 allows low-privilege authenticated users to discover the File Protection password via a getFileProtectionSettings call to AjaxServlet. | |||
| CVE-2020-10859 | 0.00 | — | 0.04 | May 5, 2020 | Zoho ManageEngine Desktop Central before 10.0.484 allows authenticated arbitrary file writes during ZIP archive extraction via Directory Traversal in a crafted AppDependency API request. | |||
| CVE-2019-15510 | 0.00 | — | 0.03 | Mar 23, 2020 | ManageEngine_DesktopCentral.exe in Zoho ManageEngine Desktop Central 10 allows HTML injection on the user administration page via the description of a role. | |||
| CVE-2019-11361 | 0.00 | — | 0.03 | Mar 19, 2020 | Zoho ManageEngine Remote Access Plus 10.0.258 does not validate user permissions properly, allowing for privilege escalation and eventually a full application takeover. | |||
| CVE-2019-20474 | 0.00 | — | 0.01 | Feb 17, 2020 | An issue was discovered in Zoho ManageEngine Remote Access Plus 10.0.447. The service to test the mail-server configuration suffers from an authorization issue allowing a user with the Guest role (read-only access) to use and abuse it. One of the abuses allows performing network… | |||
| CVE-2020-8422 | 0.00 | — | 0.01 | Jan 31, 2020 | An authorization issue was discovered in the Credential Manager feature in Zoho ManageEngine Remote Access Plus before 10.0.450. A user with the Guest role can extract the collection of all defined credentials of remote machines: the credential name, credential type, user name,… | |||
| CVE-2020-6843 | 0.00 | — | 0.02 | Jan 23, 2020 | Zoho ManageEngine ServiceDesk Plus 11.0 Build 11007 allows XSS. This issue was fixed in version 11.0 Build 11010, SD-83959. | |||
| CVE-2019-19306 | 0.00 | — | 0.01 | Nov 26, 2019 | The Zoho CRM Lead Magnet plugin 1.6.9.1 for WordPress allows XSS via module, EditShortcode, or LayoutName. | |||
| CVE-2019-15645 | 0.00 | — | 0.01 | Aug 27, 2019 | The zoho-salesiq plugin before 1.0.9 for WordPress has CSRF. | |||
| CVE-2019-15644 | 0.00 | — | 0.01 | Aug 27, 2019 | The zoho-salesiq plugin before 1.0.9 for WordPress has stored XSS. | |||
| CVE-2019-12876 | 0.00 | — | 0.05 | Jul 17, 2019 | Zoho ManageEngine ADManager Plus 6.6.5, ADSelfService Plus 5.7, and DesktopCentral 10.0.380 have Insecure Permissions, leading to Privilege Escalation from low level privileges to System. | |||
| CVE-2019-5962 | 0.00 | — | 0.02 | Jul 5, 2019 | Cross-site scripting vulnerability in Zoho SalesIQ 1.0.8 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||
| CVE-2019-5963 | 0.00 | — | 0.01 | Jul 5, 2019 | Cross-site request forgery (CSRF) vulnerability in Zoho SalesIQ 1.0.8 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors. | |||
| CVE-2019-7427 | 0.00 | — | 0.03 | May 7, 2019 | XSS exists in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 in the Administration zone "/netflow/jspui/linkdownalertConfig.jsp" file in the autorefTime or graphTypes parameter. | |||
| CVE-2019-7426 | 0.00 | — | 0.03 | May 7, 2019 | XSS exists in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 in the Administration zone "/netflow/jspui/linkdownalertConfig.jsp" file in the groupDesc, groupName, groupID, or task parameter. | |||
| CVE-2019-7424 | 0.00 | — | 0.03 | Mar 17, 2019 | XSS exists in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 in the Administration zone "/netflow/jspui/index.jsp" file in the view GET parameter or any of these POST parameters: autorefTime, section, snapshot, viewOpt, viewAll, view, or groupSelName. The latter is… | |||
| CVE-2019-7423 | 0.00 | — | 0.03 | Mar 17, 2019 | XSS exists in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 in the Administration zone "/netflow/jspui/editProfile.jsp" file in the userName parameter. | |||
| CVE-2019-7422 | 0.00 | — | 0.03 | Mar 17, 2019 | XSS exists in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 in the Administration zone "/netflow/jspui/addMailSettings.jsp" file in the gF parameter. | |||
| CVE-2015-4418 | 0.00 | — | 0.03 | Jun 9, 2015 | Zoho NetFlow Analyzer build 10250 and earlier does not have an off autocomplete attribute for a password field, which makes it easier for remote attackers to obtain access by leveraging an unattended workstation. | |||
| CVE-2015-2961 | 0.00 | — | 0.02 | Jun 9, 2015 | Cross-site request forgery (CSRF) vulnerability in Zoho NetFlow Analyzer build 10250 and earlier allows remote attackers to hijack the authentication of administrators. | |||
| CVE-2015-2960 | 0.00 | — | 0.02 | Jun 9, 2015 | Cross-site scripting (XSS) vulnerability in Zoho NetFlow Analyzer build 10250 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||
| CVE-2015-2959 | 0.00 | — | 0.03 | Jun 9, 2015 | Zoho NetFlow Analyzer build 10250 and earlier does not check for administrative authorization, which allows remote attackers to obtain sensitive information, modify passwords, or remove accounts by leveraging the guest role. | |||
| CVE-2015-1026 | 0.00 | — | 0.04 | Mar 11, 2015 | Multiple cross-site scripting (XSS) vulnerabilities in ZOHO ManageEngine ADManager Plus before 6.2 Build 6270 allow remote attackers to inject arbitrary web script or HTML via the (1) technicianSearchText parameter to the Help Desk Technician page or (2) rolesSearchText… | |||
| CVE-2015-0866 | 0.00 | — | 0.02 | Feb 2, 2015 | Multiple cross-site scripting (XSS) vulnerabilities in Zoho ManageEngine SupportCenter Plus 7.9 before hotfix 7941 allow remote attackers to inject arbitrary web script or HTML via the (1) fromCustomer, (2) username, or (3) password parameter to HomePage.do. | |||
| CVE-2014-3779 | 0.00 | — | 0.04 | Jan 7, 2015 | Cross-site scripting (XSS) vulnerability in ZOHO ManageEngine ADSelfService Plus before 5.2 Build 5202 allows remote attackers to inject arbitrary web script or HTML via the name parameter to GroupSubscription.do. | |||
| CVE-2014-6686 | 0.00 | — | 0.00 | Sep 23, 2014 | The Zoho Books - Accounting App (aka com.zoho.books) application 3.1.9 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | |||
| CVE-2014-5103 | 0.00 | — | 0.04 | Jul 25, 2014 | Cross-site scripting (XSS) vulnerability in ZOHO ManageEngine EventLog Analyzer 9 build 9000 allows remote attackers to inject arbitrary web script or HTML via the j_username parameter to event/j_security_check. Fixed in Version 10 Build 10000. | |||
| CVE-2014-2670 | 0.00 | — | 0.02 | Mar 29, 2014 | Cross-site scripting (XSS) vulnerability in Properties.do in ZOHO ManageEngine OpStor before build 8500 allows remote authenticated users to inject arbitrary web script or HTML via the name parameter, a different vulnerability than CVE-2014-0344. | |||
| CVE-2006-3842 | 0.00 | — | 0.01 | Jul 25, 2006 | Cross-site scripting (XSS) vulnerability in Zoho Virtual Office 3.2 Build 3210 allows remote attackers to execute arbitrary web script or HTML via an HTML message. |
- CVE-2021-36772Jul 17, 2021risk 0.00cvss —epss 0.01
Zoho ManageEngine ADManager Plus before 7110 allows stored XSS.
- CVE-2021-31874Jul 2, 2021risk 0.00cvss —epss 0.04
Zoho ManageEngine ADSelfService Plus before 6104, in rare situations, allows attackers to obtain sensitive information about the password-sync database application.
- CVE-2021-27956May 20, 2021risk 0.00cvss —epss 0.02
Zoho ManageEngine ADSelfService Plus before 6104 allows stored XSS on the /webclient/index.html#/directory-search user search page via the e-mail address field.
- CVE-2020-28050Mar 5, 2021risk 0.00cvss —epss 0.05
Zoho ManageEngine Desktop Central before build 10.0.647 allows a single authentication secret from multiple agents to communicate with the server.
- CVE-2020-35594Mar 5, 2021risk 0.00cvss —epss 0.01
Zoho ManageEngine ADManager Plus before 7066 allows XSS.
- CVE-2020-27733Jan 19, 2021risk 0.00cvss —epss 0.09
Zoho ManageEngine Applications Manager before 14 build 14880 allows an authenticated SQL Injection via a crafted Alarmview request.
- CVE-2020-16267Oct 6, 2020risk 0.00cvss —epss 0.43
Zoho ManageEngine Applications Manager version 14740 and prior allows an authenticated SQL Injection via a crafted jsp request in the RCA module.
- CVE-2020-15927Oct 6, 2020risk 0.00cvss —epss 0.40
Zoho ManageEngine Applications Manager version 14740 and prior allows an authenticated SQL Injection via a crafted jsp request in the SAP module.
- CVE-2020-15589Oct 2, 2020risk 0.00cvss —epss 0.08
A design issue was discovered in GetInternetRequestHandle, InternetSendRequestEx and InternetSendRequestByBitrate in the client side of Zoho ManageEngine Desktop Central 10.0.552.W and Remote Access Plus before 10.1.2119.1. By exploiting this issue, an attacker-controlled server…
- CVE-2020-15588Jul 29, 2020risk 0.00cvss —epss 0.13
An issue was discovered in the client side of Zoho ManageEngine Desktop Central 10.0.552.W. An attacker-controlled server can trigger an integer overflow in InternetSendRequestEx and InternetSendRequestByBitrate that leads to a heap-based buffer overflow and Remote Code…
- CVE-2020-13154May 18, 2020risk 0.00cvss —epss 0.03
Zoho ManageEngine Service Plus before 11.1 build 11112 allows low-privilege authenticated users to discover the File Protection password via a getFileProtectionSettings call to AjaxServlet.
- CVE-2020-10859May 5, 2020risk 0.00cvss —epss 0.04
Zoho ManageEngine Desktop Central before 10.0.484 allows authenticated arbitrary file writes during ZIP archive extraction via Directory Traversal in a crafted AppDependency API request.
- CVE-2019-15510Mar 23, 2020risk 0.00cvss —epss 0.03
ManageEngine_DesktopCentral.exe in Zoho ManageEngine Desktop Central 10 allows HTML injection on the user administration page via the description of a role.
- CVE-2019-11361Mar 19, 2020risk 0.00cvss —epss 0.03
Zoho ManageEngine Remote Access Plus 10.0.258 does not validate user permissions properly, allowing for privilege escalation and eventually a full application takeover.
- CVE-2019-20474Feb 17, 2020risk 0.00cvss —epss 0.01
An issue was discovered in Zoho ManageEngine Remote Access Plus 10.0.447. The service to test the mail-server configuration suffers from an authorization issue allowing a user with the Guest role (read-only access) to use and abuse it. One of the abuses allows performing network…
- CVE-2020-8422Jan 31, 2020risk 0.00cvss —epss 0.01
An authorization issue was discovered in the Credential Manager feature in Zoho ManageEngine Remote Access Plus before 10.0.450. A user with the Guest role can extract the collection of all defined credentials of remote machines: the credential name, credential type, user name,…
- CVE-2020-6843Jan 23, 2020risk 0.00cvss —epss 0.02
Zoho ManageEngine ServiceDesk Plus 11.0 Build 11007 allows XSS. This issue was fixed in version 11.0 Build 11010, SD-83959.
- CVE-2019-19306Nov 26, 2019risk 0.00cvss —epss 0.01
The Zoho CRM Lead Magnet plugin 1.6.9.1 for WordPress allows XSS via module, EditShortcode, or LayoutName.
- CVE-2019-15645Aug 27, 2019risk 0.00cvss —epss 0.01
The zoho-salesiq plugin before 1.0.9 for WordPress has CSRF.
- CVE-2019-15644Aug 27, 2019risk 0.00cvss —epss 0.01
The zoho-salesiq plugin before 1.0.9 for WordPress has stored XSS.
- CVE-2019-12876Jul 17, 2019risk 0.00cvss —epss 0.05
Zoho ManageEngine ADManager Plus 6.6.5, ADSelfService Plus 5.7, and DesktopCentral 10.0.380 have Insecure Permissions, leading to Privilege Escalation from low level privileges to System.
- CVE-2019-5962Jul 5, 2019risk 0.00cvss —epss 0.02
Cross-site scripting vulnerability in Zoho SalesIQ 1.0.8 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
- CVE-2019-5963Jul 5, 2019risk 0.00cvss —epss 0.01
Cross-site request forgery (CSRF) vulnerability in Zoho SalesIQ 1.0.8 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors.
- CVE-2019-7427May 7, 2019risk 0.00cvss —epss 0.03
XSS exists in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 in the Administration zone "/netflow/jspui/linkdownalertConfig.jsp" file in the autorefTime or graphTypes parameter.
- CVE-2019-7426May 7, 2019risk 0.00cvss —epss 0.03
XSS exists in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 in the Administration zone "/netflow/jspui/linkdownalertConfig.jsp" file in the groupDesc, groupName, groupID, or task parameter.
- CVE-2019-7424Mar 17, 2019risk 0.00cvss —epss 0.03
XSS exists in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 in the Administration zone "/netflow/jspui/index.jsp" file in the view GET parameter or any of these POST parameters: autorefTime, section, snapshot, viewOpt, viewAll, view, or groupSelName. The latter is…
- CVE-2019-7423Mar 17, 2019risk 0.00cvss —epss 0.03
XSS exists in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 in the Administration zone "/netflow/jspui/editProfile.jsp" file in the userName parameter.
- CVE-2019-7422Mar 17, 2019risk 0.00cvss —epss 0.03
XSS exists in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 in the Administration zone "/netflow/jspui/addMailSettings.jsp" file in the gF parameter.
- CVE-2015-4418Jun 9, 2015risk 0.00cvss —epss 0.03
Zoho NetFlow Analyzer build 10250 and earlier does not have an off autocomplete attribute for a password field, which makes it easier for remote attackers to obtain access by leveraging an unattended workstation.
- CVE-2015-2961Jun 9, 2015risk 0.00cvss —epss 0.02
Cross-site request forgery (CSRF) vulnerability in Zoho NetFlow Analyzer build 10250 and earlier allows remote attackers to hijack the authentication of administrators.
- CVE-2015-2960Jun 9, 2015risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in Zoho NetFlow Analyzer build 10250 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
- CVE-2015-2959Jun 9, 2015risk 0.00cvss —epss 0.03
Zoho NetFlow Analyzer build 10250 and earlier does not check for administrative authorization, which allows remote attackers to obtain sensitive information, modify passwords, or remove accounts by leveraging the guest role.
- CVE-2015-1026Mar 11, 2015risk 0.00cvss —epss 0.04
Multiple cross-site scripting (XSS) vulnerabilities in ZOHO ManageEngine ADManager Plus before 6.2 Build 6270 allow remote attackers to inject arbitrary web script or HTML via the (1) technicianSearchText parameter to the Help Desk Technician page or (2) rolesSearchText…
- CVE-2015-0866Feb 2, 2015risk 0.00cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in Zoho ManageEngine SupportCenter Plus 7.9 before hotfix 7941 allow remote attackers to inject arbitrary web script or HTML via the (1) fromCustomer, (2) username, or (3) password parameter to HomePage.do.
- CVE-2014-3779Jan 7, 2015risk 0.00cvss —epss 0.04
Cross-site scripting (XSS) vulnerability in ZOHO ManageEngine ADSelfService Plus before 5.2 Build 5202 allows remote attackers to inject arbitrary web script or HTML via the name parameter to GroupSubscription.do.
- CVE-2014-6686Sep 23, 2014risk 0.00cvss —epss 0.00
The Zoho Books - Accounting App (aka com.zoho.books) application 3.1.9 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
- CVE-2014-5103Jul 25, 2014risk 0.00cvss —epss 0.04
Cross-site scripting (XSS) vulnerability in ZOHO ManageEngine EventLog Analyzer 9 build 9000 allows remote attackers to inject arbitrary web script or HTML via the j_username parameter to event/j_security_check. Fixed in Version 10 Build 10000.
- CVE-2014-2670Mar 29, 2014risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in Properties.do in ZOHO ManageEngine OpStor before build 8500 allows remote authenticated users to inject arbitrary web script or HTML via the name parameter, a different vulnerability than CVE-2014-0344.
- CVE-2006-3842Jul 25, 2006risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in Zoho Virtual Office 3.2 Build 3210 allows remote attackers to execute arbitrary web script or HTML via an HTML message.
Page 5 of 5