VYPR

Vendor CVEs

Zohocorp

All CVEs

265 total · sorted by risk
  • CVE-2025-41437MedJun 9, 2025
    risk 0.28cvss 4.3epss 0.00

    Zohocorp ManageEngine OpManager, NetFlow Analyzer, Network Configuration Manager, Firewall Analyzer and OpUtils versions 128565 and below are vulnerable to Reflected XSS on the login page.

  • CVE-2022-35405KEVJul 19, 2022
    risk 0.23cvss epss 1.00

    Zoho ManageEngine Password Manager Pro before 12101 and PAM360 before 5510 are vulnerable to unauthenticated remote code execution. (This also affects ManageEngine Access Manager Plus before 4303 with authentication.)

  • CVE-2021-44077KEVNov 29, 2021
    risk 0.23cvss epss 0.94

    Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulnerable to unauthenticated remote code execution. This is related to /RestAPI URLs in a servlet, and ImportTechnicians in the Struts configuration.

  • CVE-2020-10189KEVMar 6, 2020
    risk 0.23cvss epss 1.00

    Zoho ManageEngine Desktop Central before 10.0.474 allows remote code execution because of deserialization of untrusted data in getChartImage in the FileStorage class. This is related to the CewolfServlet and MDMLogUploaderServlet servlets.

  • CVE-2019-8394KEVFeb 17, 2019
    risk 0.22cvss epss 0.64

    Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10012 allows remote attackers to upload arbitrary files via login page customization.

  • CVE-2021-37415KEVSep 1, 2021
    risk 0.19cvss epss 1.00

    Zoho ManageEngine ServiceDesk Plus before 11302 is vulnerable to authentication bypass that allows a few REST-API URLs without authentication.

  • CVE-2020-11532May 8, 2020
    risk 0.10cvss epss 0.77

    Zoho ManageEngine DataSecurity Plus prior to 6.0.1 uses default admin credentials to communicate with a DataEngine Xnode server. This allows an attacker to bypass authentication for this server and execute all operations in the context of admin user.

  • CVE-2014-7863Feb 8, 2020
    risk 0.10cvss epss 0.83

    The FailOverHelperServlet (aka FailServlet) servlet in ZOHO ManageEngine Applications Manager before 11.9 build 11912, OpManager 8 through 11.5 build 11400, and IT360 10.5 and earlier does not properly restrict access, which allows remote attackers and remote authenticated users…

  • CVE-2018-7890CriMar 8, 2018
    risk 0.09cvss 9.8epss 0.79

    A remote code execution issue was discovered in Zoho ManageEngine Applications Manager before 13.6 (build 13640). The publicly accessible testCredential.do endpoint takes multiple user inputs and validates supplied credentials by accessing a specified system. This endpoint calls…

  • CVE-2015-7766Oct 9, 2015
    risk 0.09cvss epss 0.81

    PGSQL:SubmitQuery.do in ZOHO ManageEngine OpManager 11.6, 11.5, and earlier allows remote administrators to bypass SQL query restrictions via a comment in the query to api/json/admin/SubmitQuery, as demonstrated by "INSERT/**/INTO."

  • CVE-2015-7387Sep 28, 2015
    risk 0.09cvss epss 0.80

    ZOHO ManageEngine EventLog Analyzer 10.6 build 10060 and earlier allows remote attackers to bypass intended restrictions and execute arbitrary SQL commands via an allowed query followed by a disallowed one in the query parameter to event/runQuery.do, as demonstrated by "SELECT…

  • CVE-2014-7866Dec 10, 2014
    risk 0.09cvss epss 0.80

    Multiple directory traversal vulnerabilities in ZOHO ManageEngine OpManager 8 (build 88xx) through 11.4, IT360 10.3 and 10.4, and Social IT Plus 11.0 allow remote attackers or remote authenticated users to write and execute arbitrary files via a .. (dot dot) in the (1) fileName…

  • CVE-2014-7868Dec 4, 2014
    risk 0.09cvss epss 0.73

    Multiple SQL injection vulnerabilities in ZOHO ManageEngine OpManager 11.3 and 11.4, IT360 10.3 and 10.4, and Social IT Plus 11.0 allow remote attackers or remote authenticated users to execute arbitrary SQL commands via the (1) OPM_BVNAME parameter in a Delete operation to the…

  • CVE-2014-6034Dec 4, 2014
    risk 0.09cvss epss 0.79

    Directory traversal vulnerability in the com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector servlet in ZOHO ManageEngine OpManager 8.8 through 11.3, Social IT Plus 11.0, and IT360 10.4 and earlier allows remote attackers or remote authenticated users to write to…

  • CVE-2014-5005Oct 21, 2014
    risk 0.09cvss epss 0.78

    Directory traversal vulnerability in ZOHO ManageEngine Desktop Central (DC) before 9 build 90055 allows remote attackers to execute arbitrary code via a .. (dot dot) in the fileName parameter in an LFU action to statusUpdate.

  • CVE-2015-7765Oct 9, 2015
    risk 0.08cvss epss 0.67

    ZOHO ManageEngine OpManager 11.5 build 11600 and earlier uses a hardcoded password of "plugin" for the IntegrationUser account, which allows remote authenticated users to obtain administrator access by leveraging knowledge of this password.

  • CVE-2014-100002Jan 13, 2015
    risk 0.08cvss epss 0.60

    Directory traversal vulnerability in ManageEngine SupportCenter Plus 7.9 before 7917 allows remote attackers to read arbitrary files via a ..%2f (dot dot encoded slash) in the attach parameter to WorkOrder.do in the file attachment for a new ticket.

  • CVE-2022-29081Apr 28, 2022
    risk 0.07cvss epss 0.83

    Zoho ManageEngine Access Manager Plus before 4302, Password Manager Pro before 12007, and PAM360 before 5401 are vulnerable to access-control bypass on a few Rest API URLs (for SSOutAction. SSLAction. LicenseMgr. GetProductDetails. GetDashboard. FetchEvents. and Synchronize) via…

  • CVE-2014-5446Dec 4, 2014
    risk 0.07cvss epss 0.55

    Directory traversal vulnerability in the DisplayChartPDF servlet in ZOHO ManageEngine Netflow Analyzer 8.6 through 10.2 and IT360 10.3 allows remote attackers and remote authenticated users to read arbitrary files via a .. (dot dot) in the filename parameter.

  • CVE-2023-23074Feb 1, 2023
    risk 0.06cvss epss 0.84

    Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via embedding videos in the language component.

  • CVE-2019-15106Aug 16, 2019
    risk 0.06cvss epss 0.25

    An issue was discovered in Zoho ManageEngine OpManager in builds before 14310. One can bypass the user password requirement and execute commands on the server. The "username+'@opm' string is used for the password. For example, if the username is admin, the password is admin@opm.

  • CVE-2014-6036Dec 4, 2014
    risk 0.06cvss epss 0.39

    Directory traversal vulnerability in the multipartRequest servlet in ZOHO ManageEngine OpManager 11.3 and earlier, Social IT Plus 11.0, and IT360 10.3, 10.4, and earlier allows remote attackers or remote authenticated users to delete arbitrary files via a .. (dot dot) in the…

  • CVE-2023-28341Apr 11, 2023
    risk 0.05cvss epss 0.99

    Stored Cross site scripting (XSS) vulnerability in Zoho ManageEngine Applications Manager through 16340 allows an unauthenticated user to inject malicious javascript on the incorrect login details page.

  • CVE-2014-7864Feb 4, 2015
    risk 0.05cvss epss 0.23

    Multiple SQL injection vulnerabilities in the FailOverHelperServlet (aka FailServlet) servlet in ZOHO ManageEngine OpManager 8 through 11.5 build 11400 and IT360 10.5 and earlier allow remote attackers and remote authenticated users to execute arbitrary SQL commands via the (1)…

  • CVE-2014-6035Dec 4, 2014
    risk 0.05cvss epss 0.26

    Directory traversal vulnerability in the FileCollector servlet in ZOHO ManageEngine OpManager 11.4, 11.3, and earlier allows remote attackers to write and execute arbitrary files via a .. (dot dot) in the FILENAME parameter.

  • CVE-2014-5006Oct 21, 2014
    risk 0.05cvss epss 0.25

    Directory traversal vulnerability in ZOHO ManageEngine Desktop Central (DC) before 9 build 90055 allows remote attackers to execute arbitrary code via a .. (dot dot) in the fileName parameter to mdm/mdmLogUploader.

  • CVE-2010-3274Feb 17, 2011
    risk 0.05cvss epss 0.21

    Multiple cross-site scripting (XSS) vulnerabilities in EmployeeSearch.cc in the Employee Search Engine in ZOHO ManageEngine ADSelfService Plus before 4.5 Build 4500 allow remote attackers to inject arbitrary web script or HTML via the searchString parameter in a (1) showList or…

  • CVE-2023-23076Feb 1, 2023
    risk 0.04cvss epss 0.74

    OS Command injection vulnerability in Support Center Plus 11 via Executor in Action when creating new schedules.

  • CVE-2022-47523Jan 5, 2023
    risk 0.04cvss epss 0.71

    Zoho ManageEngine Access Manager Plus before 4309, Password Manager Pro before 12210, and PAM360 before 5801 are vulnerable to SQL Injection.

  • CVE-2022-43671Nov 12, 2022
    risk 0.04cvss epss 0.75

    Zoho ManageEngine Password Manager Pro before 12122, PAM360 before 5711, and Access Manager Plus before 4306 allow SQL Injection.

  • CVE-2022-29457Apr 18, 2022
    risk 0.04cvss epss 0.08

    Zoho ManageEngine ADSelfService Plus before 6121, ADAuditPlus 7060, Exchange Reporter Plus 5701, and ADManagerPlus 7131 allow NTLM Hash disclosure during certain storage-path configuration steps.

  • CVE-2019-19774Dec 13, 2019
    risk 0.04cvss epss 0.13

    An issue was discovered in Zoho ManageEngine EventLog Analyzer 10.0 SP1 before Build 12110. By running "select hostdetails from hostdetails" at the /event/runquery.do endpoint, it is possible to bypass the security restrictions that prevent even administrative users from viewing…

  • CVE-2019-19649Dec 11, 2019
    risk 0.04cvss epss 0.10

    Zoho ManageEngine Applications Manager before 13620 allows a remote unauthenticated SQL injection via the SyncEventServlet eventid parameter to the SyncEventServlet.java doGet function.

  • CVE-2019-17602Oct 15, 2019
    risk 0.04cvss epss 0.82

    An issue was discovered in Zoho ManageEngine OpManager before 12.4 build 124089. The OPMDeviceDetailsServlet servlet is prone to SQL injection. Depending on the configuration, this vulnerability could be exploited unauthenticated or authenticated.

  • CVE-2019-12189May 21, 2019
    risk 0.04cvss epss 0.06

    An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SearchN.do search field.

  • CVE-2019-10008Apr 24, 2019
    risk 0.04cvss epss 0.20

    Zoho ManageEngine ServiceDesk 9.3 allows session hijacking and privilege escalation because an established guest session is automatically converted into an established administrator session when the guest user enters the administrator username, with an arbitrary incorrect…

  • CVE-2019-11469Apr 23, 2019
    risk 0.04cvss epss 0.18

    Zoho ManageEngine Applications Manager 12 through 14 allows FaultTemplateOptions.jsp resourceid SQL injection. Subsequently, an unauthenticated user can gain the authority of SYSTEM on the server by uploading a malicious file via the "Execute Program Action(s)" feature.

  • CVE-2019-11448Apr 22, 2019
    risk 0.04cvss epss 0.12

    An issue was discovered in Zoho ManageEngine Applications Manager 11.0 through 14.0. An unauthenticated user can gain the authority of SYSTEM on the server due to a Popup_SLA.jsp sid SQL injection vulnerability. For example, the attacker can subsequently write arbitrary text to…

  • CVE-2015-5149Jun 30, 2015
    risk 0.04cvss epss 0.10

    Directory traversal vulnerability in Zoho ManageEngine SupportCenter Plus 7.90 allows remote authenticated users to write to arbitrary files via a .. (dot dot) in the component parameter in the Request component to workorder/Attachment.jsp.

  • CVE-2015-2169Jun 24, 2015
    risk 0.04cvss epss 0.08

    Cross-site scripting (XSS) vulnerability in Zoho ManageEngine AssetExplorer 6.1 service pack 6112 allows remote attackers to inject arbitrary web script or HTML via a Publisher registry entry, which is not properly handled when the machine is scanned.

  • CVE-2014-3997Dec 5, 2014
    risk 0.04cvss epss 0.09

    SQL injection vulnerability in the MetadataServlet servlet in ManageEngine Password Manager Pro (PMP) and Password Manager Pro Managed Service Providers (MSP) edition 5 through 7 build 7003, IT360 and IT360 Managed Service Providers (MSP) edition before 10.3.3 build 10330, and…

  • CVE-2014-5445Dec 4, 2014
    risk 0.04cvss epss 0.98

    Multiple absolute path traversal vulnerabilities in ZOHO ManageEngine Netflow Analyzer 8.6 through 10.2 and IT360 10.3 allow remote attackers or remote authenticated users to read arbitrary files via a full pathname in the schFilePath parameter to the (1) CSVServlet or (2)…

  • CVE-2014-8498Nov 17, 2014
    risk 0.04cvss epss 0.13

    SQL injection vulnerability in BulkEditSearchResult.cc in ManageEngine Password Manager Pro (PMP) and Password Manager Pro Managed Service Providers (MSP) edition before 7.1 build 7105 allows remote authenticated users to execute arbitrary SQL commands via the SEARCH_ALL…

  • CVE-2014-6043Sep 11, 2014
    risk 0.04cvss epss 0.13

    ZOHO ManageEngine EventLog Analyzer 9.0 build 9002 and 8.2 build 8020 does not properly restrict access to the database browser, which allows remote authenticated users to obtain access to the database via a direct request to event/runQuery.do. Fixed in Build 10000.

  • CVE-2024-24409Nov 8, 2024
    risk 0.03cvss epss 0.04

    Zohocorp ManageEngine ADManager Plus versions 7203 and prior are vulnerable to Privilege Escalation in the Modify Computers option.

  • CVE-2021-44757Jan 18, 2022
    risk 0.03cvss epss 0.24

    Zoho ManageEngine Desktop Central before 10.1.2137.9 and Desktop Central MSP before 10.1.2137.9 allow attackers to bypass authentication, and read sensitive information or upload an arbitrary ZIP archive to the server.

  • CVE-2019-15104Aug 16, 2019
    risk 0.03cvss epss 0.08

    An issue was discovered in Zoho ManageEngine OpManager through 12.4x. There is a SQL Injection vulnerability in jsp/NewThresholdConfiguration.jsp via the resourceid parameter. Therefore, a low-authority user can gain the authority of SYSTEM on the server. One can consequently…

  • CVE-2019-15105Aug 16, 2019
    risk 0.03cvss epss 0.08

    An issue was discovered in Zoho ManageEngine Application Manager through 14.2. There is a SQL Injection vulnerability in jsp/NewThresholdConfiguration.jsp via the resourceid parameter. Therefore, a low-authority user can gain the authority of SYSTEM on the server. One can…

  • CVE-2019-12542Jun 5, 2019
    risk 0.03cvss epss 0.06

    An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SearchN.do userConfigID parameter.

  • CVE-2018-20484Dec 26, 2018
    risk 0.03cvss epss 0.05

    Zoho ManageEngine ADSelfService Plus 5.7 before build 5702 has XSS in the self-update layout implementation.

Page 2 of 6