Filtered by vendor Zohocorp
Subscribe
Search
Total
400 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-20485 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2019-05-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Zoho ManageEngine ADSelfService Plus 5.7 before build 5702 has XSS in the employee search feature. | |||||
| CVE-2018-20484 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2019-05-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Zoho ManageEngine ADSelfService Plus 5.7 before build 5702 has XSS in the self-update layout implementation. | |||||
| CVE-2019-7426 | 1 Zohocorp | 1 Manageengine Netflow Analyzer | 2019-05-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| XSS exists in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 in the Administration zone "/netflow/jspui/linkdownalertConfig.jsp" file in the groupDesc, groupName, groupID, or task parameter. | |||||
| CVE-2019-7427 | 1 Zohocorp | 1 Manageengine Netflow Analyzer | 2019-05-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| XSS exists in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 in the Administration zone "/netflow/jspui/linkdownalertConfig.jsp" file in the autorefTime or graphTypes parameter. | |||||
| CVE-2019-11448 | 1 Zohocorp | 1 Manageengine Applications Manager | 2019-05-06 | 10.0 HIGH | 9.8 CRITICAL |
| An issue was discovered in Zoho ManageEngine Applications Manager 11.0 through 14.0. An unauthenticated user can gain the authority of SYSTEM on the server due to a Popup_SLA.jsp sid SQL injection vulnerability. For example, the attacker can subsequently write arbitrary text to a .vbs file. | |||||
| CVE-2019-11677 | 1 Zohocorp | 1 Manageengine Firewall Analyzer | 2019-05-03 | 7.5 HIGH | 9.8 CRITICAL |
| The Custom Report import function in Zoho ManageEngine Firewall Analyzer before 12.3 Build 123224 is vulnerable to XML External Entity (XXE) Injection. | |||||
| CVE-2019-11678 | 1 Zohocorp | 1 Manageengine Firewall Analyzer | 2019-05-03 | 7.5 HIGH | 9.8 CRITICAL |
| The "default reports" feature in Zoho ManageEngine Firewall Analyzer before 12.3 Build 123218 is vulnerable to SQL Injection. | |||||
| CVE-2019-11676 | 1 Zohocorp | 1 Manageengine Firewall Analyzer | 2019-05-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| The user defined DNS name in Zoho ManageEngine Firewall Analyzer before 12.3 Build 123224 is vulnerable to stored XSS attacks. | |||||
| CVE-2019-11469 | 1 Zohocorp | 1 Manageengine Applications Manager | 2019-04-26 | 10.0 HIGH | 9.8 CRITICAL |
| Zoho ManageEngine Applications Manager 12 through 14 allows FaultTemplateOptions.jsp resourceid SQL injection. Subsequently, an unauthenticated user can gain the authority of SYSTEM on the server by uploading a malicious file via the "Execute Program Action(s)" feature. | |||||
| CVE-2019-10008 | 1 Zohocorp | 1 Servicedesk Plus | 2019-04-25 | 6.5 MEDIUM | 8.8 HIGH |
| Zoho ManageEngine ServiceDesk 9.3 allows session hijacking and privilege escalation because an established guest session is automatically converted into an established administrator session when the guest user enters the administrator username, with an arbitrary incorrect password, in an mc/ login attempt within a different browser tab. | |||||
| CVE-2017-9362 | 1 Zohocorp | 1 Manageengine Servicedesk Plus | 2019-04-02 | 6.5 MEDIUM | 8.8 HIGH |
| ManageEngine ServiceDesk Plus before 9312 contains an XML injection at add Configuration items CMDB API. | |||||
| CVE-2017-9376 | 1 Zohocorp | 1 Manageengine Servicedesk Plus | 2019-04-02 | 5.0 MEDIUM | 6.5 MEDIUM |
| ManageEngine ServiceDesk Plus before 9314 contains a local file inclusion vulnerability in the defModule parameter in DefaultConfigDef.do and AssetDefaultConfigDef.do. | |||||
| CVE-2019-7424 | 1 Zohocorp | 1 Manageengine Netflow Analyzer | 2019-03-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| XSS exists in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 in the Administration zone "/netflow/jspui/index.jsp" file in the view GET parameter or any of these POST parameters: autorefTime, section, snapshot, viewOpt, viewAll, view, or groupSelName. The latter is related to CVE-2009-3903. | |||||
| CVE-2019-7423 | 1 Zohocorp | 1 Manageengine Netflow Analyzer | 2019-03-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| XSS exists in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 in the Administration zone "/netflow/jspui/editProfile.jsp" file in the userName parameter. | |||||
| CVE-2019-7422 | 1 Zohocorp | 1 Manageengine Netflow Analyzer | 2019-03-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| XSS exists in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 in the Administration zone "/netflow/jspui/addMailSettings.jsp" file in the gF parameter. | |||||
| CVE-2018-5341 | 1 Zohocorp | 1 Manageengine Desktop Central | 2019-03-05 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 and 10.0.184: a missing server-side check on the file type/extension when uploading and modifying scripts. | |||||
| CVE-2018-5338 | 1 Zohocorp | 1 Manageengine Desktop Central | 2019-03-05 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 and 10.0.184: missing authentication/authorization for a database query mechanism. | |||||
| CVE-2018-5337 | 1 Zohocorp | 1 Manageengine Desktop Central | 2019-03-05 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 and 10.0.184: directory traversal in the SCRIPT_NAME field when modifying existing scripts. | |||||
| CVE-2018-9163 | 1 Zohocorp | 1 Manageengine Recovery Manager Plus | 2019-02-27 | 3.5 LOW | 5.4 MEDIUM |
| A stored Cross-site scripting (XSS) vulnerability in Zoho ManageEngine Recovery Manager Plus before 5.3 (Build 5350) allows remote authenticated users (with Add New Technician permissions) to inject arbitrary web script or HTML via the loginName field to technicianAction.do. | |||||
| CVE-2019-8394 | 1 Zohocorp | 1 Manageengine Servicedesk Plus | 2019-02-26 | 4.0 MEDIUM | 6.5 MEDIUM |
| Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10012 allows remote attackers to upload arbitrary files via login page customization. | |||||
| CVE-2018-18980 | 1 Zohocorp | 2 Manageengine Network Configuration Manager, Manageengine Opmanager | 2019-01-30 | 5.0 MEDIUM | 7.5 HIGH |
| An XML External Entity injection (XXE) vulnerability exists in Zoho ManageEngine Network Configuration Manager and OpManager before 12.3.214 via the RequestXML parameter in a /devices/ProcessRequest.do GET request. For example, the attacker can trigger the transmission of local files to an arbitrary remote FTP server. | |||||
| CVE-2018-17596 | 1 Zohocorp | 1 Manageengine Assetexplorer | 2018-11-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Zoho ManageEngine AssetExplorer, a Stored XSS vulnerability was discovered in the 6.2.0 version via the /AssetDef.do ciName or assetName parameter. | |||||
| CVE-2018-17283 | 1 Zohocorp | 1 Manageengine Opmanager | 2018-11-09 | 5.0 MEDIUM | 7.5 HIGH |
| Zoho ManageEngine OpManager before 12.3 Build 123196 does not require authentication for /oputilsServlet requests, as demonstrated by a /oputilsServlet?action=getAPIKey request that can be leveraged against Firewall Analyzer to add an admin user via /api/json/v2/admin/addUser or conduct a SQL Injection attack via the /api/json/device/setManaged name parameter. | |||||
| CVE-2018-17243 | 1 Zohocorp | 1 Manageengine Opmanager | 2018-11-09 | 7.5 HIGH | 9.8 CRITICAL |
| Global Search in Zoho ManageEngine OpManager before 12.3 123205 allows SQL Injection. | |||||
| CVE-2018-16965 | 1 Zohocorp | 1 Manageengine Supportcenter Plus | 2018-11-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Zoho ManageEngine SupportCenter Plus before 8.1 Build 8109, there is HTML Injection and Stored XSS via the /ServiceContractDef.do contractName parameter. | |||||
| CVE-2018-16833 | 1 Zohocorp | 1 Manageengine Desktop Central | 2018-11-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| Zoho ManageEngine Desktop Central 10.0.271 has XSS via the "Features & Articles" search field to the /advsearch.do?SUBREQUEST=XMLHTTP URI. | |||||
| CVE-2010-3273 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2018-10-10 | 5.0 MEDIUM | N/A |
| ZOHO ManageEngine ADSelfService Plus before 4.5 Build 4500 allows remote attackers to reset user passwords, and consequently obtain access to arbitrary user accounts, by providing a user id to accounts/ValidateUser, and then providing a new password to accounts/ResetResult. | |||||
| CVE-2010-3272 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2018-10-10 | 4.3 MEDIUM | N/A |
| accounts/ValidateAnswers in the security-questions implementation in ZOHO ManageEngine ADSelfService Plus before 4.5 Build 4500 makes it easier for remote attackers to reset user passwords, and consequently obtain access to arbitrary user accounts, via a modified (1) Hide_Captcha or (2) quesList parameter in a validateAll action. | |||||
| CVE-2010-3274 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2018-10-10 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in EmployeeSearch.cc in the Employee Search Engine in ZOHO ManageEngine ADSelfService Plus before 4.5 Build 4500 allow remote attackers to inject arbitrary web script or HTML via the searchString parameter in a (1) showList or (2) Search action. | |||||
| CVE-2016-6601 | 1 Zohocorp | 1 Webnms Framework | 2018-10-09 | 5.0 MEDIUM | 7.5 HIGH |
| Directory traversal vulnerability in the file download functionality in ZOHO WebNMS Framework 5.2 and 5.2 SP1 allows remote attackers to read arbitrary files via a .. (dot dot) in the fileName parameter to servlets/FetchFile. | |||||
| CVE-2016-6603 | 1 Zohocorp | 1 Webnms Framework | 2018-10-09 | 5.0 MEDIUM | 9.8 CRITICAL |
| ZOHO WebNMS Framework 5.2 and 5.2 SP1 allows remote attackers to bypass authentication and impersonate arbitrary users via the UserName HTTP header. | |||||
| CVE-2016-6602 | 1 Zohocorp | 1 Webnms Framework | 2018-10-09 | 5.0 MEDIUM | 9.8 CRITICAL |
| ZOHO WebNMS Framework 5.2 and 5.2 SP1 use a weak obfuscation algorithm to store passwords, which allows context-dependent attackers to obtain cleartext passwords by leveraging access to WEB-INF/conf/securitydbData.xml. NOTE: this issue can be combined with CVE-2016-6601 for a remote exploit. | |||||
| CVE-2016-6600 | 1 Zohocorp | 1 Webnms Framework | 2018-10-09 | 7.5 HIGH | 9.8 CRITICAL |
| Directory traversal vulnerability in the file upload functionality in ZOHO WebNMS Framework 5.2 and 5.2 SP1 allows remote attackers to upload and execute arbitrary JSP files via a .. (dot dot) in the fileName parameter to servlets/FileUploadServlet. | |||||
| CVE-2015-2560 | 1 Zohocorp | 1 Manageengine Desktop Central | 2018-10-09 | 5.0 MEDIUM | 9.8 CRITICAL |
| Manage Engine Desktop Central 9 before build 90135 allows remote attackers to change passwords of users with the Administrator role via an addOrModifyUser operation to servlets/DCOperationsServlet. | |||||
| CVE-2015-0866 | 1 Zohocorp | 1 Manageengine Supportcenter Plus | 2018-10-09 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in Zoho ManageEngine SupportCenter Plus 7.9 before hotfix 7941 allow remote attackers to inject arbitrary web script or HTML via the (1) fromCustomer, (2) username, or (3) password parameter to HomePage.do. | |||||
| CVE-2014-9331 | 1 Zohocorp | 1 Manageengine Desktop Central | 2018-10-09 | 6.8 MEDIUM | N/A |
| Cross-site request forgery (CSRF) vulnerability in ZOHO ManageEngine Desktop Central before 9 build 90130 allows remote attackers to hijack the authentication of administrators for requests that add an administrator account via an addUser action to STATE_ID/1417736606982/roleMgmt.do. | |||||
| CVE-2015-1026 | 1 Zohocorp | 1 Manageengine Admanager Plus | 2018-10-09 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in ZOHO ManageEngine ADManager Plus before 6.2 Build 6270 allow remote attackers to inject arbitrary web script or HTML via the (1) technicianSearchText parameter to the Help Desk Technician page or (2) rolesSearchText parameter to the Help Desk Roles. | |||||
| CVE-2014-7862 | 1 Zohocorp | 1 Desktop Central | 2018-10-09 | 7.5 HIGH | 9.8 CRITICAL |
| The DCPluginServelet servlet in ManageEngine Desktop Central and Desktop Central MSP before build 90109 allows remote attackers to create administrator accounts via an addPlugInUser action. | |||||
| CVE-2014-7864 | 1 Zohocorp | 1 Manageengine Opmanager | 2018-10-09 | 7.5 HIGH | N/A |
| Multiple SQL injection vulnerabilities in the FailOverHelperServlet (aka FailServlet) servlet in ZOHO ManageEngine OpManager 8 through 11.5 build 11400 and IT360 10.5 and earlier allow remote attackers and remote authenticated users to execute arbitrary SQL commands via the (1) customerName or (2) serverRole parameter in a standbyUpdateInCentral operation to servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet. | |||||
| CVE-2011-5105 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2018-10-09 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in EmployeeSearch.cc in ZOHO ManageEngine ADSelfService Plus 4.5 Build 4521 allow remote attackers to inject arbitrary web script or HTML via the (1) searchType and (2) searchString parameters, a different vulnerability than CVE-2010-3274. | |||||
| CVE-2018-15168 | 1 Zohocorp | 1 Manageengine Applications Manager | 2018-10-05 | 7.5 HIGH | 9.8 CRITICAL |
| A SQL Injection vulnerability exists in the Zoho ManageEngine Applications Manager 13 before build 13820 via the resids parameter in a /editDisplaynames.do?method=editDisplaynames GET request. | |||||
| CVE-2018-15169 | 1 Zohocorp | 1 Manageengine Applications Manager | 2018-10-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected Cross-site scripting (XSS) vulnerability in Zoho ManageEngine Applications Manager 13 before build 13820 allows remote attackers to inject arbitrary web script or HTML via the /deleteMO.do method parameter. | |||||
| CVE-2018-11717 | 1 Zohocorp | 1 Manageengine Desktop Central | 2018-09-19 | 5.0 MEDIUM | 9.8 CRITICAL |
| An issue was discovered in Zoho ManageEngine Desktop Central before 100251. By leveraging access to a log file, a context-dependent attacker can obtain (depending on the modules configured) the Base64 encoded Password/Username of AD accounts, the cleartext Password/Username and mail settings of the EAS account (an AD account used to send mail), the cleartext password of recovery_password of Android devices, the cleartext password of account "set", the location of devices enrolled in the platform (with UUID and information related to the name of the person at the location), critical information about all enrolled devices such as Serial Number, UUID, Model, Name, and auth_session_token (usable to spoof a terminal identity on the platform), etc. | |||||
| CVE-2018-11716 | 1 Zohocorp | 1 Manageengine Desktop Central | 2018-09-17 | 5.0 MEDIUM | 9.8 CRITICAL |
| An issue was discovered in Zoho ManageEngine Desktop Central before 100230. There is unauthenticated remote access to all log files of a Desktop Central instance containing critical information (private information such as location of enrolled devices, cleartext passwords, patching level, etc.) via a GET request on port 8022, 8443, or 8444. | |||||
| CVE-2018-10076 | 1 Zohocorp | 1 Manageengine Eventlog Analyzer | 2018-08-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Zoho ManageEngine EventLog Analyzer 11.12. A Cross-Site Scripting vulnerability allows a remote attacker to inject arbitrary web script or HTML via the search functionality (the search box of the Dashboard). | |||||
| CVE-2018-13050 | 1 Zohocorp | 1 Manageengine Applications Manager | 2018-08-30 | 7.5 HIGH | 9.8 CRITICAL |
| A SQL Injection vulnerability exists in Zoho ManageEngine Applications Manager 13.x before build 13800 via the j_username parameter in a /j_security_check POST request. | |||||
| CVE-2018-10075 | 1 Zohocorp | 1 Manageengine Eventlog Analyzer | 2018-08-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Zoho ManageEngine EventLog Analyzer 11.12 allows remote attackers to inject arbitrary web script or HTML via the import logs feature. | |||||
| CVE-2017-16850 | 1 Zohocorp | 1 Manageengine Applications Manager | 2018-08-28 | 7.5 HIGH | 9.8 CRITICAL |
| Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /showresource.do resourceid parameter in a getResourceProfiles action. | |||||
| CVE-2018-12999 | 1 Zohocorp | 1 Manageengine Desktop Central | 2018-08-20 | 6.4 MEDIUM | 7.5 HIGH |
| Incorrect Access Control in AgentTrayIconServlet in Zoho ManageEngine Desktop Central 10.0.255 allows attackers to delete certain files on the web server without login by sending a specially crafted request to the server with a computerName=../ substring to the /agenttrayicon URI. | |||||
| CVE-2018-12996 | 1 Zohocorp | 1 Manageengine Applications Manager | 2018-08-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected Cross-site scripting (XSS) vulnerability in Zoho ManageEngine Applications Manager before 13 (Build 13800) allows remote attackers to inject arbitrary web script or HTML via the parameter 'method' to GraphicalView.do. | |||||