VYPR

Vendor CVEs

Zohocorp

All CVEs

265 total · sorted by risk
  • CVE-2018-20484Dec 26, 2018
    risk 0.03cvss epss 0.05

    Zoho ManageEngine ADSelfService Plus 5.7 before build 5702 has XSS in the self-update layout implementation.

  • CVE-2015-5150Jun 30, 2015
    risk 0.03cvss epss 0.04

    Multiple cross-site scripting (XSS) vulnerabilities in Zoho ManageEngine SupportCenter Plus 7.90 allow remote authenticated users to inject arbitrary web script or HTML via the (1) query parameter in the run_query_editor_query module to CustomReportHandler.do, (2) compAcct…

  • CVE-2015-1479Feb 4, 2015
    risk 0.03cvss epss 0.04

    SQL injection vulnerability in reports/CreateReportTable.jsp in ZOHO ManageEngine ServiceDesk Plus (SDP) before 9.0 build 9031 allows remote authenticated users to execute arbitrary SQL commands via the site parameter.

  • CVE-2014-9331Feb 4, 2015
    risk 0.03cvss epss 0.05

    Cross-site request forgery (CSRF) vulnerability in ZOHO ManageEngine Desktop Central before 9 build 90130 allows remote attackers to hijack the authentication of administrators for requests that add an administrator account via an addUser action to…

  • CVE-2014-7867Dec 4, 2014
    risk 0.03cvss epss 0.40

    SQL injection vulnerability in the com.manageengine.opmanager.servlet.UpdateProbeUpgradeStatus servlet in ZOHO ManageEngine OpManager 11.3 and 11.4, IT360 10.3 and 10.4, and Social IT Plus 11.0 allows remote attackers or remote authenticated users to execute arbitrary SQL…

  • CVE-2014-6037Oct 26, 2014
    risk 0.03cvss epss 0.84

    Directory traversal vulnerability in the agentUpload servlet in ZOHO ManageEngine EventLog Analyzer 9.0 build 9002 and 8.2 build 8020 allows remote attackers to execute arbitrary code by uploading a ZIP file which contains an executable file with .. (dot dot) sequences in its…

  • CVE-2011-5105Aug 23, 2012
    risk 0.03cvss epss 0.06

    Multiple cross-site scripting (XSS) vulnerabilities in EmployeeSearch.cc in ZOHO ManageEngine ADSelfService Plus 4.5 Build 4521 allow remote attackers to inject arbitrary web script or HTML via the (1) searchType and (2) searchString parameters, a different vulnerability than…

  • CVE-2010-3272Feb 17, 2011
    risk 0.03cvss epss 0.04

    accounts/ValidateAnswers in the security-questions implementation in ZOHO ManageEngine ADSelfService Plus before 4.5 Build 4500 makes it easier for remote attackers to reset user passwords, and consequently obtain access to arbitrary user accounts, via a modified (1)…

  • CVE-2024-5466Aug 23, 2024
    risk 0.02cvss epss 0.07

    Zohocorp ManageEngine OpManager and Remote Monitoring and Management versions 128329 and below are vulnerable to the authenticated remote code execution in the deploy agent option.

  • CVE-2023-23073Feb 1, 2023
    risk 0.02cvss epss 0.03

    Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via PO in the purchase component.

  • CVE-2023-23077Feb 1, 2023
    risk 0.02cvss epss 0.03

    Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 13 via the comment field when adding a new status comment.

  • CVE-2023-23078Feb 1, 2023
    risk 0.02cvss epss 0.03

    Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via the comment field when changing the credentials in the Assets.

  • CVE-2020-14048Jun 12, 2020
    risk 0.02cvss epss 0.05

    Zoho ManageEngine ServiceDesk Plus before 11.1 build 11115 allows remote unauthenticated attackers to change the installation status of deployed agents.

  • CVE-2019-19034Mar 23, 2020
    risk 0.02cvss epss 0.06

    Zoho ManageEngine Asset Explorer 6.5 does not validate the System Center Configuration Manager (SCCM) database username when dynamically generating a command to schedule scans for SCCM. This allows an attacker to execute arbitrary commands on the AssetExplorer Server with NT…

  • CVE-2014-9371Dec 16, 2014
    risk 0.02cvss epss 0.19

    The NativeAppServlet in ManageEngine Desktop Central MSP before 90075 allows remote attackers to execute arbitrary code via a crafted JSON object.

  • CVE-2025-5966Jun 26, 2025
    risk 0.01cvss epss 0.01

    Zohocorp ManageEngine Exchange reporter Plus version 5722 and below are vulnerable to Stored XSS in the Attachments by filename keyword report.

  • CVE-2025-5366Jun 26, 2025
    risk 0.01cvss epss 0.01

    Zohocorp ManageEngine Exchange reporter Plus version 5722 and below are vulnerable to Stored XSS in the Folder-wise read mails with subject report.

  • CVE-2025-36527May 23, 2025
    risk 0.01cvss epss 0.20

    Zohocorp ManageEngine ADAudit Plus versions below 8511 are vulnerable to SQL injection while exporting reports.

  • CVE-2024-5471Jul 17, 2024
    risk 0.01cvss epss 0.02

    Zohocorp ManageEngine DDI Central versions 4001 and prior were vulnerable to agent takeover vulnerability due to the hard-coded sensitive keys.

  • CVE-2023-28340Apr 11, 2023
    risk 0.01cvss epss 0.03

    Zoho ManageEngine Applications Manager through 16320 allows the admin user to conduct an XXE attack.

  • CVE-2022-25373Apr 5, 2022
    risk 0.01cvss epss 0.01

    Zoho ManageEngine SupportCenter Plus before 11020 allows Stored XSS in the request history.

  • CVE-2021-43296Nov 30, 2021
    risk 0.01cvss epss 0.03

    Zoho ManageEngine SupportCenter Plus before 11016 is vulnerable to an SSRF attack in ActionExecutor.

  • CVE-2021-31160Jun 29, 2021
    risk 0.01cvss epss 0.04

    Zoho ManageEngine ServiceDesk Plus MSP before 10521 allows an attacker to access internal data.

  • CVE-2021-20080Apr 9, 2021
    risk 0.01cvss epss 0.93

    Insufficient output sanitization in ManageEngine ServiceDesk Plus before version 11200 and ManageEngine AssetExplorer before version 6800 allows a remote, unauthenticated attacker to conduct persistent cross-site scripting (XSS) attacks by uploading a crafted XML asset file.

  • CVE-2018-5353Sep 29, 2020
    risk 0.01cvss epss 0.08

    The custom GINA/CP module in Zoho ManageEngine ADSelfService Plus before 5.5 build 5517 allows remote attackers to execute code and escalate privileges via spoofing. It does not authenticate the intended server before opening a browser window. An unauthenticated attacker capable…

  • CVE-2019-19799Mar 13, 2020
    risk 0.01cvss epss 0.06

    Zoho ManageEngine Applications Manager before 14600 allows a remote unauthenticated attacker to disclose license related information via WieldFeedServlet servlet.

  • CVE-2019-19800Feb 6, 2020
    risk 0.01cvss epss 0.04

    Zoho ManageEngine Applications Manager 14 before 14520 allows a remote unauthenticated attacker to disclose OS file names via FailOverHelperServlet.

  • CVE-2019-7162Dec 31, 2019
    risk 0.01cvss epss 0.04

    An issue was discovered in Zoho ManageEngine ADSelfService Plus 5.6 Build 5607. An exposed service allows an unauthenticated person to retrieve internal information from the system and modify the product installation.

  • CVE-2019-19650Dec 11, 2019
    risk 0.01cvss epss 0.06

    Zoho ManageEngine Applications Manager before 13640 allows a remote authenticated SQL injection via the Agent servlet agentid parameter to the Agent.java process function.

  • CVE-2019-11678May 2, 2019
    risk 0.01cvss epss 0.09

    The "default reports" feature in Zoho ManageEngine Firewall Analyzer before 12.3 Build 123218 is vulnerable to SQL Injection.

  • CVE-2019-8395Feb 17, 2019
    risk 0.01cvss epss 0.07

    An Insecure Direct Object Reference (IDOR) vulnerability exists in Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10007 via an attachment to a request.

  • CVE-2025-11669Jan 13, 2026
    risk 0.00cvss epss 0.01

    Zohocorp ManageEngine PAM360 versions before 8202; Password Manager Pro versions before 13221; Access Manager Plus versions prior to 4401 are vulnerable to an authorization issue in the initiate remote session functionality.

  • CVE-2025-11250Jan 13, 2026
    risk 0.00cvss epss 0.01

    Zohocorp ManageEngine ADSelfService Plus versions before 6519 are vulnerable to Authentication Bypass due to improper filter configurations.

  • CVE-2025-9435Jan 13, 2026
    risk 0.00cvss epss 0.01

    Zohocorp ManageEngine ADManager Plus versions below 7230 are vulnerable to Path Traversal in the User Management module

  • CVE-2025-9787Dec 18, 2025
    risk 0.00cvss epss 0.01

    Zohocorp ManageEngine Applications Manager versions 177400 and below are vulnerable to Stored Cross-Site Scripting vulnerability in the NOC view.

  • CVE-2025-11670Dec 15, 2025
    risk 0.00cvss epss 0.00

    Zohocorp ManageEngine ADManager Plus versions before 8025 are vulnerable to NTLM Hash Exposure.  This vulnerability is exploitable only by technicians who have the “Impersonate as Admin” option enabled.

  • CVE-2025-7633Nov 11, 2025
    risk 0.00cvss epss 0.00

    Zohocorp ManageEngine Exchange Reporter Plus versions 5723 and below are vulnerable to the Stored XSS Vulnerability in the Custom report.

  • CVE-2025-7632Nov 11, 2025
    risk 0.00cvss epss 0.00

    Zohocorp ManageEngine Exchange Reporter Plus versions 5723 and below are vulnerable to the Stored XSS Vulnerability in the Public Folders report.

  • CVE-2025-7430Nov 11, 2025
    risk 0.00cvss epss 0.00

    Zohocorp ManageEngine Exchange Reporter Plus versions 5723 and below are vulnerable to the Stored XSS Vulnerability in the Folder Message Count and Size report.

  • CVE-2025-7429Nov 11, 2025
    risk 0.00cvss epss 0.00

    Zohocorp ManageEngine Exchange Reporter Plus versions 5723 and below are vulnerable to the Stored XSS Vulnerability in the Mails Deleted or Moved report.

  • CVE-2025-5347Oct 30, 2025
    risk 0.00cvss epss 0.00

    Zohocorp ManageEngine Exchange Reporter Plus versions before 5723 are vulnerable to Stored Cross Site Scripting in the reports module.

  • CVE-2025-5343Oct 30, 2025
    risk 0.00cvss epss 0.00

    Zohocorp ManageEngine Exchange Reporter Plus versions through 5721 are vulnerable to Stored Cross Site Scripting in the Instant Search option.

  • CVE-2025-5342Oct 30, 2025
    risk 0.00cvss epss 0.01

    Zohocorp ManageEngine Exchange Reporter Plus through 5721 are vulnerable to ReDOS vulnerability in the search module.

  • CVE-2025-11248Oct 27, 2025
    risk 0.00cvss epss 0.00

    ZohoCorp ManageEngine Endpoint Central versions prior to 11.4.2528.05 are vulnerable to a sensitive information logging issue. An authenticated user with access to the logs could potentially obtain the sensitive agent token.

  • CVE-2025-6239Oct 21, 2025
    risk 0.00cvss epss 0.01

    Zohocorp ManageEngine Applications Manager versions 176800 and below are vulnerable to information disclosure in File/Directory monitor.

  • CVE-2025-10020Oct 21, 2025
    risk 0.00cvss epss 0.05

    Zohocorp ManageEngine ADManager Plus version before 8024 are vulnerable to authenticated command injection vulnerability in the Custom Script component.

  • CVE-2025-9428Oct 21, 2025
    risk 0.00cvss epss 0.25

    Zohocorp ManageEngine Analytics Plus versions 6171 and prior are vulnerable to authenticated SQL Injection via the key update api.

  • CVE-2025-7473Oct 21, 2025
    risk 0.00cvss epss 0.00

    Zohocorp ManageEngine EndPoint Central versions 11.4.2516.1 and prior are vulnerable to XML Injection.

  • CVE-2025-5496Oct 21, 2025
    risk 0.00cvss epss 0.00

    ZohoCorp ManageEngine Endpoint Central versions earlier than 11.4.2508.14, 11.4.2516.06, and 11.4.2518.01 are affected by an arbitrary file deletion vulnerability in the agent setup component.

  • CVE-2025-5494Sep 25, 2025
    risk 0.00cvss epss 0.00

    ZohoCorp ManageEngine Endpoint Central was impacted by an improper privilege management issue in the agent setup. This issue affects Endpoint Central: through 11.4.2500.25, through 11.4.2508.13.

Page 3 of 6