Vendor CVEs
Zohocorp
All CVEs
265 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2016-6603 | Cri | 0.74 | 9.8 | 0.87 | Jan 23, 2017 | ZOHO WebNMS Framework 5.2 and 5.2 SP1 allows remote attackers to bypass authentication and impersonate arbitrary users via the UserName HTTP header. | ||
| CVE-2016-6600 | Cri | 0.74 | 9.8 | 0.90 | Jan 23, 2017 | Directory traversal vulnerability in the file upload functionality in ZOHO WebNMS Framework 5.2 and 5.2 SP1 allows remote attackers to upload and execute arbitrary JSP files via a .. (dot dot) in the fileName parameter to servlets/FileUploadServlet. | ||
| CVE-2016-6602 | Cri | 0.71 | 9.8 | 0.55 | Jan 23, 2017 | ZOHO WebNMS Framework 5.2 and 5.2 SP1 use a weak obfuscation algorithm to store passwords, which allows context-dependent attackers to obtain cleartext passwords by leveraging access to WEB-INF/conf/securitydbData.xml. NOTE: this issue can be combined with CVE-2016-6601 for a… | ||
| CVE-2017-11346 | Cri | 0.70 | 9.8 | 0.43 | Jul 17, 2017 | Zoho ManageEngine Desktop Central before build 100092 allows remote attackers to execute arbitrary code via vectors involving the upload of help desk videos. | ||
| CVE-2017-16543 | Cri | 0.67 | 9.8 | 0.06 | Nov 5, 2017 | Zoho ManageEngine Applications Manager 13 before build 13500 allows SQL injection via GraphicalView.do, as demonstrated by a crafted viewProps yCanvas field or viewid parameter. | ||
| CVE-2017-7213 | Cri | 0.66 | 10.0 | 0.08 | May 15, 2017 | Zoho ManageEngine Desktop Central before build 100082 allows remote attackers to obtain control over all connected active desktops via unspecified vectors. | ||
| CVE-2017-16851 | Cri | 0.65 | 9.8 | 0.17 | Nov 16, 2017 | Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /MyPage.do widgetid parameter. | ||
| CVE-2017-16850 | Cri | 0.65 | 9.8 | 0.17 | Nov 16, 2017 | Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /showresource.do resourceid parameter in a getResourceProfiles action. | ||
| CVE-2017-16849 | Cri | 0.65 | 9.8 | 0.17 | Nov 16, 2017 | Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /MyPage.do?method=viewDashBoard forpage parameter. | ||
| CVE-2017-16848 | Cri | 0.65 | 9.8 | 0.15 | Nov 16, 2017 | Zoho ManageEngine Applications Manager 13 allows SQL injection via the /manageConfMons.do groupname parameter. | ||
| CVE-2017-16847 | Cri | 0.65 | 9.8 | 0.17 | Nov 16, 2017 | Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /showresource.do resourceid parameter in a showPlasmaView action. | ||
| CVE-2017-16846 | Cri | 0.65 | 9.8 | 0.17 | Nov 16, 2017 | Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /manageApplications.do?method=AddSubGroup haid parameter. | ||
| CVE-2015-2560 | Cri | 0.65 | 9.8 | 0.16 | Aug 2, 2017 | Manage Engine Desktop Central 9 before build 90135 allows remote attackers to change passwords of users with the Administrator role via an addOrModifyUser operation to servlets/DCOperationsServlet. | ||
| CVE-2025-8324 | Cri | 0.64 | 9.8 | 0.02 | Nov 11, 2025 | Zohocorp ManageEngine Analytics Plus versions 6170 and below are vulnerable to Unauthenticated SQL Injection due to the improper filter configuration. | ||
| CVE-2015-9107 | Cri | 0.64 | 9.8 | 0.04 | Aug 4, 2017 | Zoho ManageEngine OpManager 11 through 12.2 uses a custom encryption algorithm to protect the credential used to access the monitored devices. The implemented algorithm doesn't use a per-system key or even a salt; therefore, it's possible to create a universal decryptor. | ||
| CVE-2017-16542 | Hig | 0.61 | 8.8 | 0.05 | Nov 5, 2017 | Zoho ManageEngine Applications Manager 13 before build 13500 allows Post-authentication SQL injection via the name parameter in a manageApplications.do?method=insert request. | ||
| CVE-2018-11808 | Cri | 0.60 | 9.1 | 0.06 | Jun 6, 2018 | Incorrect Access Control in CustomFieldsFeedServlet in Zoho ManageEngine Applications Manager Version 13 before build 13740 allows an attacker to delete any file and read certain files on the server in the context of the user (which by default is "NT AUTHORITY / SYSTEM") by… | ||
| CVE-2016-6601 | Hig | 0.60 | 7.5 | 0.97 | Jan 23, 2017 | Directory traversal vulnerability in the file download functionality in ZOHO WebNMS Framework 5.2 and 5.2 SP1 allows remote attackers to read arbitrary files via a .. (dot dot) in the fileName parameter to servlets/FetchFile. | ||
| CVE-2017-14123 | Hig | 0.58 | 8.8 | 0.06 | Sep 4, 2017 | Zoho ManageEngine Firewall Analyzer 12200 has an unrestricted File Upload vulnerability in the "Group Chat" section. Any user can upload files with any extensions. By uploading a PHP file to the server, an attacker can cause it to execute in the server context, as demonstrated… | ||
| CVE-2025-9223 | Hig | 0.57 | 8.8 | 0.04 | Nov 11, 2025 | Zohocorp ManageEngine Applications Manager versions 178100 and below are vulnerable to authenticated command injection vulnerability due to the improper configuration in the execute program action feature. | ||
| CVE-2016-4889 | Hig | 0.57 | 8.8 | 0.03 | Apr 14, 2017 | ZOHO ManageEngine ServiceDesk Plus before 9.0 allows remote authenticated guest users to have unspecified impact by leveraging failure to restrict access to unknown functions. | ||
| CVE-2026-2740 | Hig | 0.55 | 8.4 | 0.02 | May 21, 2026 | Zohocorp ManageEngine ADSelfService Plus version before 6525, DataSecurity Plus before 6264 and RecoveryManager Plus before 6313 are vulnerable to Authenticated Remote code execution in the agent machines due to the bug in the 3rd party dependency. | ||
| CVE-2026-1367 | Hig | 0.54 | 8.3 | 0.08 | Feb 23, 2026 | Zohocorp ManageEngine ADSelfService Plus versions 6522 and below are vulnerable to authenticated SQL Injection in the search report option. | ||
| CVE-2024-6748 | Hig | 0.54 | 8.3 | 0.24 | Jul 29, 2024 | Zohocorp ManageEngine OpManager, OpManager Plus, OpManager MSP and RMM versions 128317 and below are vulnerable to authenticated SQL injection in the URL monitoring. | ||
| CVE-2026-3324 | Hig | 0.53 | 8.2 | 0.01 | Apr 16, 2026 | Zohocorp ManageEngine Log360 versions 13000 through 13013 are vulnerable to authentication bypass on certain actions due to improper filter configuration. | ||
| CVE-2026-5785 | Hig | 0.53 | 8.1 | 0.01 | Apr 16, 2026 | Zohocorp ManageEngine PAM360 versions before 8531 and ManageEngine Password Manager Pro versions from 8600 to 13230 are vulnerable to Authenticated SQL injection in the query report module. | ||
| CVE-2016-1161 | Hig | 0.52 | 8.0 | 0.01 | Apr 20, 2017 | Cross-site request forgery (CSRF) vulnerability in ManageEngine Password Manager Pro before 8.5 (Build 8500). | ||
| CVE-2015-7781 | Hig | 0.49 | 7.5 | 0.07 | Jun 27, 2017 | ManageEngine Firewall Analyzer before 8.0 does not restrict access permissions. | ||
| CVE-2025-1724 | Hig | 0.48 | 7.4 | 0.01 | Mar 17, 2025 | Zohocorp's ManageEngine Analytics Plus and Zoho Analytics on-premise versions older than 6130 are vulnerable to an AD only account takeover because of a hardcoded sensitive token. | ||
| CVE-2026-27655 | Hig | 0.47 | 7.3 | 0.01 | Apr 3, 2026 | Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Permissions Based on Mailboxes report. | ||
| CVE-2026-4108 | Hig | 0.47 | 7.3 | 0.01 | Apr 3, 2026 | Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Non-Owner Mailbox Permission report. | ||
| CVE-2026-4107 | Hig | 0.47 | 7.3 | 0.01 | Apr 3, 2026 | Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Folder Message Count and Size report. | ||
| CVE-2026-3880 | Hig | 0.47 | 7.3 | 0.01 | Apr 3, 2026 | Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Public Folder Client Permissions report. | ||
| CVE-2026-3879 | Hig | 0.47 | 7.3 | 0.01 | Apr 3, 2026 | Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Equipment Mailbox Details report. | ||
| CVE-2026-28703 | Hig | 0.47 | 7.3 | 0.01 | Apr 3, 2026 | Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Mails Exchanged Between Users report. | ||
| CVE-2026-28756 | Hig | 0.47 | 7.3 | 0.01 | Apr 3, 2026 | Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Permissions based on Distribution Groups report. | ||
| CVE-2026-28754 | Hig | 0.47 | 7.3 | 0.01 | Apr 3, 2026 | Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Distribution Lists report. | ||
| CVE-2015-7780 | Med | 0.43 | 6.5 | 0.11 | Jun 27, 2017 | Directory traversal vulnerability in ManageEngine Firewall Analyzer before 8.0. | ||
| CVE-2025-9227 | Med | 0.42 | 6.5 | 0.00 | Nov 11, 2025 | Zohocorp ManageEngine OpManager versions 128609 and below are vulnerable to Stored XSS Vulnerability in the SNMP trap processor. | ||
| CVE-2024-9100 | Med | 0.42 | 6.5 | 0.00 | Oct 3, 2024 | Zohocorp ManageEngine Analytics Plus versions before 5410 and Zoho Analytics On-Premise versions before 5410 are vulnerable to Path traversal. | ||
| CVE-2023-50891 | Med | 0.42 | 6.5 | 0.01 | Dec 29, 2023 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Zoho Forms Form plugin for WordPress – Zoho Forms allows Stored XSS.This issue affects Form plugin for WordPress – Zoho Forms: from n/a through 3.0.1. | ||
| CVE-2018-12996 | Med | 0.40 | 6.1 | 0.03 | Jun 29, 2018 | A reflected Cross-site scripting (XSS) vulnerability in Zoho ManageEngine Applications Manager before 13 (Build 13800) allows remote attackers to inject arbitrary web script or HTML via the parameter 'method' to GraphicalView.do. | ||
| CVE-2017-17698 | Med | 0.40 | 6.1 | 0.02 | Dec 15, 2017 | Zoho ManageEngine Password Manager Pro 9 before 9.4 (9400) has reflected XSS in SearchResult.ec and BulkAccessControlView.ec. | ||
| CVE-2017-11687 | Med | 0.40 | 6.1 | 0.01 | Jul 27, 2017 | Multiple Persistent cross-site scripting (XSS) vulnerabilities in Event log parsing and Display functions in Zoho ManageEngine Event Log Analyzer 11.4 and 11.5 allow remote attackers to inject arbitrary web script or HTML via syslog. | ||
| CVE-2017-11686 | Med | 0.40 | 6.1 | 0.02 | Jul 27, 2017 | Zoho ManageEngine Event Log Analyzer 11.4 and 11.5 allows remote attackers to obtain an authenticated user's password via XSS vulnerabilities or sniffing non-SSL traffic on the network, because the password is represented in a cookie with a reversible encoding method. | ||
| CVE-2017-11685 | Med | 0.40 | 6.1 | 0.01 | Jul 27, 2017 | Multiple Reflective cross-site scripting (XSS) vulnerabilities in search and display of event data in Zoho ManageEngine Event Log Analyzer 11.4 and 11.5 allow remote attackers to inject arbitrary web script or HTML, as demonstrated by the fName parameter. | ||
| CVE-2017-14582 | Med | 0.39 | 5.9 | 0.02 | Sep 30, 2017 | The Zoho Site24x7 Mobile Network Poller application before 1.1.5 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a self-signed certificate. | ||
| CVE-2016-4890 | Med | 0.35 | 5.3 | 0.03 | Apr 14, 2017 | ZOHO ManageEngine ServiceDesk Plus before 9.2 uses an insecure method for generating cookies, which makes it easier for attackers to obtain sensitive password information by leveraging access to a cookie. | ||
| CVE-2016-4888 | Med | 0.35 | 5.4 | 0.02 | Apr 14, 2017 | Cross-site scripting (XSS) vulnerability in ZOHO ManageEngine ServiceDesk Plus before 9.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | ||
| CVE-2025-9226 | Med | 0.30 | 4.6 | 0.00 | Jan 30, 2026 | Zohocorp ManageEngine OpManager, NetFlow Analyzer, and OpUtils versions prior to 128582 are affected by a stored cross-site scripting vulnerability in the Subnet Details. |
- risk 0.74cvss 9.8epss 0.87
ZOHO WebNMS Framework 5.2 and 5.2 SP1 allows remote attackers to bypass authentication and impersonate arbitrary users via the UserName HTTP header.
- risk 0.74cvss 9.8epss 0.90
Directory traversal vulnerability in the file upload functionality in ZOHO WebNMS Framework 5.2 and 5.2 SP1 allows remote attackers to upload and execute arbitrary JSP files via a .. (dot dot) in the fileName parameter to servlets/FileUploadServlet.
- risk 0.71cvss 9.8epss 0.55
ZOHO WebNMS Framework 5.2 and 5.2 SP1 use a weak obfuscation algorithm to store passwords, which allows context-dependent attackers to obtain cleartext passwords by leveraging access to WEB-INF/conf/securitydbData.xml. NOTE: this issue can be combined with CVE-2016-6601 for a…
- risk 0.70cvss 9.8epss 0.43
Zoho ManageEngine Desktop Central before build 100092 allows remote attackers to execute arbitrary code via vectors involving the upload of help desk videos.
- risk 0.67cvss 9.8epss 0.06
Zoho ManageEngine Applications Manager 13 before build 13500 allows SQL injection via GraphicalView.do, as demonstrated by a crafted viewProps yCanvas field or viewid parameter.
- risk 0.66cvss 10.0epss 0.08
Zoho ManageEngine Desktop Central before build 100082 allows remote attackers to obtain control over all connected active desktops via unspecified vectors.
- risk 0.65cvss 9.8epss 0.17
Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /MyPage.do widgetid parameter.
- risk 0.65cvss 9.8epss 0.17
Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /showresource.do resourceid parameter in a getResourceProfiles action.
- risk 0.65cvss 9.8epss 0.17
Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /MyPage.do?method=viewDashBoard forpage parameter.
- risk 0.65cvss 9.8epss 0.15
Zoho ManageEngine Applications Manager 13 allows SQL injection via the /manageConfMons.do groupname parameter.
- risk 0.65cvss 9.8epss 0.17
Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /showresource.do resourceid parameter in a showPlasmaView action.
- risk 0.65cvss 9.8epss 0.17
Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /manageApplications.do?method=AddSubGroup haid parameter.
- risk 0.65cvss 9.8epss 0.16
Manage Engine Desktop Central 9 before build 90135 allows remote attackers to change passwords of users with the Administrator role via an addOrModifyUser operation to servlets/DCOperationsServlet.
- risk 0.64cvss 9.8epss 0.02
Zohocorp ManageEngine Analytics Plus versions 6170 and below are vulnerable to Unauthenticated SQL Injection due to the improper filter configuration.
- risk 0.64cvss 9.8epss 0.04
Zoho ManageEngine OpManager 11 through 12.2 uses a custom encryption algorithm to protect the credential used to access the monitored devices. The implemented algorithm doesn't use a per-system key or even a salt; therefore, it's possible to create a universal decryptor.
- risk 0.61cvss 8.8epss 0.05
Zoho ManageEngine Applications Manager 13 before build 13500 allows Post-authentication SQL injection via the name parameter in a manageApplications.do?method=insert request.
- risk 0.60cvss 9.1epss 0.06
Incorrect Access Control in CustomFieldsFeedServlet in Zoho ManageEngine Applications Manager Version 13 before build 13740 allows an attacker to delete any file and read certain files on the server in the context of the user (which by default is "NT AUTHORITY / SYSTEM") by…
- risk 0.60cvss 7.5epss 0.97
Directory traversal vulnerability in the file download functionality in ZOHO WebNMS Framework 5.2 and 5.2 SP1 allows remote attackers to read arbitrary files via a .. (dot dot) in the fileName parameter to servlets/FetchFile.
- risk 0.58cvss 8.8epss 0.06
Zoho ManageEngine Firewall Analyzer 12200 has an unrestricted File Upload vulnerability in the "Group Chat" section. Any user can upload files with any extensions. By uploading a PHP file to the server, an attacker can cause it to execute in the server context, as demonstrated…
- risk 0.57cvss 8.8epss 0.04
Zohocorp ManageEngine Applications Manager versions 178100 and below are vulnerable to authenticated command injection vulnerability due to the improper configuration in the execute program action feature.
- risk 0.57cvss 8.8epss 0.03
ZOHO ManageEngine ServiceDesk Plus before 9.0 allows remote authenticated guest users to have unspecified impact by leveraging failure to restrict access to unknown functions.
- risk 0.55cvss 8.4epss 0.02
Zohocorp ManageEngine ADSelfService Plus version before 6525, DataSecurity Plus before 6264 and RecoveryManager Plus before 6313 are vulnerable to Authenticated Remote code execution in the agent machines due to the bug in the 3rd party dependency.
- risk 0.54cvss 8.3epss 0.08
Zohocorp ManageEngine ADSelfService Plus versions 6522 and below are vulnerable to authenticated SQL Injection in the search report option.
- risk 0.54cvss 8.3epss 0.24
Zohocorp ManageEngine OpManager, OpManager Plus, OpManager MSP and RMM versions 128317 and below are vulnerable to authenticated SQL injection in the URL monitoring.
- risk 0.53cvss 8.2epss 0.01
Zohocorp ManageEngine Log360 versions 13000 through 13013 are vulnerable to authentication bypass on certain actions due to improper filter configuration.
- risk 0.53cvss 8.1epss 0.01
Zohocorp ManageEngine PAM360 versions before 8531 and ManageEngine Password Manager Pro versions from 8600 to 13230 are vulnerable to Authenticated SQL injection in the query report module.
- risk 0.52cvss 8.0epss 0.01
Cross-site request forgery (CSRF) vulnerability in ManageEngine Password Manager Pro before 8.5 (Build 8500).
- risk 0.49cvss 7.5epss 0.07
ManageEngine Firewall Analyzer before 8.0 does not restrict access permissions.
- risk 0.48cvss 7.4epss 0.01
Zohocorp's ManageEngine Analytics Plus and Zoho Analytics on-premise versions older than 6130 are vulnerable to an AD only account takeover because of a hardcoded sensitive token.
- risk 0.47cvss 7.3epss 0.01
Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Permissions Based on Mailboxes report.
- risk 0.47cvss 7.3epss 0.01
Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Non-Owner Mailbox Permission report.
- risk 0.47cvss 7.3epss 0.01
Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Folder Message Count and Size report.
- risk 0.47cvss 7.3epss 0.01
Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Public Folder Client Permissions report.
- risk 0.47cvss 7.3epss 0.01
Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Equipment Mailbox Details report.
- risk 0.47cvss 7.3epss 0.01
Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Mails Exchanged Between Users report.
- risk 0.47cvss 7.3epss 0.01
Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Permissions based on Distribution Groups report.
- risk 0.47cvss 7.3epss 0.01
Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Distribution Lists report.
- risk 0.43cvss 6.5epss 0.11
Directory traversal vulnerability in ManageEngine Firewall Analyzer before 8.0.
- risk 0.42cvss 6.5epss 0.00
Zohocorp ManageEngine OpManager versions 128609 and below are vulnerable to Stored XSS Vulnerability in the SNMP trap processor.
- risk 0.42cvss 6.5epss 0.00
Zohocorp ManageEngine Analytics Plus versions before 5410 and Zoho Analytics On-Premise versions before 5410 are vulnerable to Path traversal.
- risk 0.42cvss 6.5epss 0.01
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Zoho Forms Form plugin for WordPress – Zoho Forms allows Stored XSS.This issue affects Form plugin for WordPress – Zoho Forms: from n/a through 3.0.1.
- risk 0.40cvss 6.1epss 0.03
A reflected Cross-site scripting (XSS) vulnerability in Zoho ManageEngine Applications Manager before 13 (Build 13800) allows remote attackers to inject arbitrary web script or HTML via the parameter 'method' to GraphicalView.do.
- risk 0.40cvss 6.1epss 0.02
Zoho ManageEngine Password Manager Pro 9 before 9.4 (9400) has reflected XSS in SearchResult.ec and BulkAccessControlView.ec.
- risk 0.40cvss 6.1epss 0.01
Multiple Persistent cross-site scripting (XSS) vulnerabilities in Event log parsing and Display functions in Zoho ManageEngine Event Log Analyzer 11.4 and 11.5 allow remote attackers to inject arbitrary web script or HTML via syslog.
- risk 0.40cvss 6.1epss 0.02
Zoho ManageEngine Event Log Analyzer 11.4 and 11.5 allows remote attackers to obtain an authenticated user's password via XSS vulnerabilities or sniffing non-SSL traffic on the network, because the password is represented in a cookie with a reversible encoding method.
- risk 0.40cvss 6.1epss 0.01
Multiple Reflective cross-site scripting (XSS) vulnerabilities in search and display of event data in Zoho ManageEngine Event Log Analyzer 11.4 and 11.5 allow remote attackers to inject arbitrary web script or HTML, as demonstrated by the fName parameter.
- risk 0.39cvss 5.9epss 0.02
The Zoho Site24x7 Mobile Network Poller application before 1.1.5 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a self-signed certificate.
- risk 0.35cvss 5.3epss 0.03
ZOHO ManageEngine ServiceDesk Plus before 9.2 uses an insecure method for generating cookies, which makes it easier for attackers to obtain sensitive password information by leveraging access to a cookie.
- risk 0.35cvss 5.4epss 0.02
Cross-site scripting (XSS) vulnerability in ZOHO ManageEngine ServiceDesk Plus before 9.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
- risk 0.30cvss 4.6epss 0.00
Zohocorp ManageEngine OpManager, NetFlow Analyzer, and OpUtils versions prior to 128582 are affected by a stored cross-site scripting vulnerability in the Subnet Details.
Page 1 of 6