CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Zohocorp : Security Vulnerabilities

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2022-29535 89 Sql 2022-05-05 2022-05-17
7.5
None Remote Low Not required Partial Partial Partial
Zoho ManageEngine OPManager through 125588 allows SQL Injection via a few default reports.
2 CVE-2022-29457 522 2022-04-18 2022-05-11
6.5
None Remote Low ??? Partial Partial Partial
Zoho ManageEngine ADSelfService Plus before 6121, ADAuditPlus 7060, Exchange Reporter Plus 5701, and ADManagerPlus 7131 allow NTLM Hash disclosure during certain storage-path configuration steps.
3 CVE-2022-29081 863 Bypass 2022-04-28 2022-05-10
7.5
None Remote Low Not required Partial Partial Partial
Zoho ManageEngine Access Manager Plus before 4302, Password Manager Pro before 12007, and PAM360 before 5401 are vulnerable to access-control bypass on a few Rest API URLs (for SSOutAction. SSLAction. LicenseMgr. GetProductDetails. GetDashboard. FetchEvents. and Synchronize) via the ../RestAPI substring.
4 CVE-2022-28987 2022-05-20 2022-06-01
5.0
None Remote Low Not required Partial None None
ManageEngine ADSelfService Plus v6.1 allows attackers to perform username enumeration via a crafted POST request to /ServletAPI/accounts/login.
5 CVE-2022-28810 78 Exec Code 2022-04-18 2022-04-26
7.1
None Remote High ??? Complete Complete Complete
Zoho ManageEngine ADSelfService Plus before build 6122 allows a remote authenticated administrator to execute arbitrary operating OS commands as SYSTEM via the policy custom script feature. Due to the use of a default administrator password, attackers may be able to abuse this functionality with minimal effort. Additionally, a remote and partially authenticated attacker may be able to inject arbitrary commands into the custom script due to an unsanitized password field.
6 CVE-2022-28219 611 Exec Code 2022-04-05 2022-04-12
7.5
None Remote Low Not required Partial Partial Partial
Zoho ManageEngine ADAudit Plus before 7060 is vulnerable to an unauthenticated XXE attack that leads to Remote Code Execution.
7 CVE-2022-27908 89 Sql 2022-04-18 2022-04-26
6.5
None Remote Low ??? Partial Partial Partial
Zoho ManageEngine OpManager before 125588 (and before 125603) is vulnerable to authenticated SQL Injection in the Inventory Reports module.
8 CVE-2022-26777 668 2022-04-16 2022-04-26
5.0
None Remote Low Not required Partial None None
Zoho ManageEngine Remote Access Plus before 10.1.2137.15 allows guest users to view license details.
9 CVE-2022-26653 668 2022-04-16 2022-04-26
5.0
None Remote Low Not required Partial None None
Zoho ManageEngine Remote Access Plus before 10.1.2137.15 allows guest users to view domain details (such as the username and GUID of an administrator).
10 CVE-2022-25373 79 XSS 2022-04-05 2022-04-12
3.5
None Remote Medium ??? None Partial None
Zoho ManageEngine SupportCenter Plus before 11020 allows Stored XSS in the request history.
11 CVE-2022-25245 200 +Info 2022-04-05 2022-06-07
5.0
None Remote Low Not required Partial None None
Zoho ManageEngine ServiceDesk Plus before 13001 allows anyone to know the organisation's default currency name.
12 CVE-2022-24978 522 2022-04-05 2022-04-12
6.5
None Remote Low ??? Partial Partial Partial
Zoho ManageEngine ADAudit Plus before 7055 allows authenticated Privilege Escalation on Integrated products. This occurs because a password field is present in a JSON response.
13 CVE-2022-24681 79 XSS 2022-04-07 2022-05-17
4.3
None Remote Medium Not required None Partial None
Zoho ManageEngine ADSelfService Plus before 6121 allows XSS via the welcome name attribute to the Reset Password, Unlock Account, or User Must Change Password screen.
14 CVE-2022-24447 200 +Info 2022-03-02 2022-03-09
4.0
None Remote Low ??? Partial None None
An issue was discovered in Zoho ManageEngine Key Manager Plus before 6200. A service exposed by the application allows a user, with the level Operator, to access stored SSL certificates and associated key pairs during export.
15 CVE-2022-24446 668 2022-03-01 2022-03-08
3.5
None Remote Medium ??? Partial None None
An issue was discovered in Zoho ManageEngine Key Manager Plus 6.1.6. A user, with the level Operator, can see all SSH servers (and user information) even if no SSH server or user is associated to the operator.
16 CVE-2022-24306 863 2022-03-02 2022-03-09
7.5
None Remote Low Not required Partial Partial Partial
Zoho ManageEngine SharePoint Manager Plus before 4329 allows account takeover because authorization is mishandled.
17 CVE-2022-24305 269 2022-03-02 2022-03-09
7.5
None Remote Low Not required Partial Partial Partial
Zoho ManageEngine SharePoint Manager Plus before 4329 is vulnerable to a sensitive data leak that leads to privilege escalation.
18 CVE-2022-23863 269 2022-01-28 2022-02-02
4.0
None Remote Low ??? None Partial None
Zoho ManageEngine Desktop Central before 10.1.2137.10 allows an authenticated user to change any user's login password.
19 CVE-2022-23779 200 +Info 2022-03-02 2022-03-09
5.0
None Remote Low Not required Partial None None
Zoho ManageEngine Desktop Central before 10.1.2137.8 exposes the installed server name to anyone. The internal hostname can be discovered by reading HTTP redirect responses.
20 CVE-2022-23050 434 2022-05-24 2022-06-08
6.5
None Remote Low ??? Partial Partial Partial
ManageEngine AppManager15 (Build No:15510) allows an authenticated admin user to upload a DLL file to perform a DLL hijack attack inside the 'working' folder through the 'Upload Files / Binaries' functionality.
21 CVE-2021-46166 200 +Info 2022-01-10 2022-01-13
4.0
None Remote Low ??? Partial None None
Zoho ManageEngine Desktop Central before 10.0.662 allows authenticated users to obtain sensitive information from the database by visiting the Reports page.
22 CVE-2021-46165 2022-01-10 2022-01-14
4.6
None Local Low Not required Partial Partial Partial
Zoho ManageEngine Desktop Central before 10.0.662, during startup, launches an executable file from the batch files, but this file's path might not be properly defined.
23 CVE-2021-46164 Exec Code 2022-01-10 2022-01-14
6.5
None Remote Low ??? Partial Partial Partial
Zoho ManageEngine Desktop Central before 10.0.662 allows remote code execution by an authenticated user who has complete access to the Reports module.
24 CVE-2021-46065 79 XSS 2022-01-27 2022-02-02
3.5
None Remote Medium ??? None Partial None
A Cross-site scripting (XSS) vulnerability in Secondary Email Field in Zoho ManageEngine ServiceDesk Plus 11.3 Build 11306 allows an attackers to inject arbitrary JavaScript code.
25 CVE-2021-44757 287 Bypass 2022-01-18 2022-01-24
6.4
None Remote Low Not required Partial Partial None
Zoho ManageEngine Desktop Central before 10.1.2137.9 and Desktop Central MSP before 10.1.2137.9 allow attackers to bypass authentication, and read sensitive information or upload an arbitrary ZIP archive to the server.
26 CVE-2021-44676 668 2021-12-20 2022-01-04
7.5
None Remote Low Not required Partial Partial Partial
Zoho ManageEngine Access Manager Plus before 4203 allows anyone to view a few data elements (e.g., access control details) and modify a few aspects of the application state.
27 CVE-2021-44675 287 Exec Code Bypass 2021-12-20 2022-01-03
7.5
None Remote Low Not required Partial Partial Partial
Zoho ManageEngine ServiceDesk Plus MSP before 10.5 Build 10534 is vulnerable to unauthenticated remote code execution due to a filter bypass in which authentication is not required.
28 CVE-2021-44652 Exec Code 2022-01-12 2022-01-25
6.8
None Remote Medium Not required Partial Partial Partial
Zoho ManageEngine O365 Manager Plus before Build 4416 allows remote code execution via BCP file overwrite through the ChangeDBAPI component.
29 CVE-2021-44651 434 Exec Code 2022-01-12 2022-01-24
6.5
None Remote Low ??? Partial Partial Partial
Zoho ManageEngine CloudSecurityPlus before Build 4117 allows remote code execution through the updatePersonalizeSettings component due to an improper security patch for CVE-2021-40175.
30 CVE-2021-44650 Exec Code 2022-01-12 2022-01-24
6.5
None Remote Low ??? Partial Partial Partial
Zoho ManageEngine M365 Manager Plus before Build 4419 allows remote command execution when updating proxy settings through the Admin ProxySettings and Tenant ProxySettings components.
31 CVE-2021-44526 287 Bypass 2021-12-23 2022-01-06
6.8
None Remote Medium Not required Partial Partial Partial
Zoho ManageEngine ServiceDesk Plus before 12003 allows authentication bypass in certain admin configurations.
32 CVE-2021-44525 668 Bypass 2021-12-20 2022-01-04
7.5
None Remote Low Not required Partial Partial Partial
Zoho ManageEngine PAM360 before build 5303 allows attackers to modify a few aspects of application state because of a filter bypass in which authentication is not required.
33 CVE-2021-44515 287 Exec Code Bypass 2021-12-12 2021-12-16
10.0
None Remote Low Not required Complete Complete Complete
Zoho ManageEngine Desktop Central is vulnerable to authentication bypass, leading to remote code execution on the server, as exploited in the wild in December 2021. For Enterprise builds 10.1.2127.17 and earlier, upgrade to 10.1.2127.18. For Enterprise builds 10.1.2128.0 through 10.1.2137.2, upgrade to 10.1.2137.3. For MSP builds 10.1.2127.17 and earlier, upgrade to 10.1.2127.18. For MSP builds 10.1.2128.0 through 10.1.2137.2, upgrade to 10.1.2137.3.
34 CVE-2021-44514 287 2021-12-09 2021-12-15
7.5
None Remote Low Not required Partial Partial Partial
OpUtils in Zoho ManageEngine OpManager 12.5 before 125490 mishandles authentication for a few audit directories.
35 CVE-2021-44077 287 Exec Code 2021-11-29 2022-03-29
7.5
None Remote Low Not required Partial Partial Partial
Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulnerable to unauthenticated remote code execution. This is related to /RestAPI URLs in a servlet, and ImportTechnicians in the Struts configuration.
36 CVE-2021-43319 77 2021-11-30 2022-04-06
7.5
None Remote Low Not required Partial Partial Partial
Zoho ManageEngine Network Configuration Manager before 125488 is vulnerable to command injection due to improper validation in the Ping functionality.
37 CVE-2021-43296 918 2021-11-30 2022-04-27
5.0
None Remote Low Not required Partial None None
Zoho ManageEngine SupportCenter Plus before 11016 is vulnerable to an SSRF attack in ActionExecutor.
38 CVE-2021-43295 79 XSS 2021-11-30 2022-04-27
4.3
None Remote Medium Not required None Partial None
Zoho ManageEngine SupportCenter Plus before 11016 is vulnerable to Reflected XSS in the Accounts module.
39 CVE-2021-43294 79 XSS 2021-11-30 2022-04-27
4.3
None Remote Medium Not required None Partial None
Zoho ManageEngine SupportCenter Plus before 11016 is vulnerable to Reflected XSS in the Products module.
40 CVE-2021-42847 2021-11-11 2022-04-27
7.5
None Remote Low Not required Partial Partial Partial
Zoho ManageEngine ADAudit Plus before 7006 allows attackers to write to, and execute, arbitrary files.
41 CVE-2021-42099 434 Exec Code 2021-11-30 2021-12-06
7.5
None Remote Low Not required Partial Partial Partial
Zoho ManageEngine M365 Manager Plus before 4421 is vulnerable to file-upload remote code execution.
42 CVE-2021-42002 863 Exec Code Bypass 2021-11-11 2021-11-15
7.5
None Remote Low Not required Partial Partial Partial
Zoho ManageEngine ADManager Plus before 7115 is vulnerable to a filter bypass that leads to file-upload remote code execution.
43 CVE-2021-41833 434 Exec Code 2021-11-11 2021-11-15
7.5
None Remote Low Not required Partial Partial Partial
Zoho ManageEngine Patch Connect Plus before 90099 is vulnerable to unauthenticated remote code execution.
44 CVE-2021-41829 326 2021-09-30 2021-10-05
5.0
None Remote Low Not required Partial None None
Zoho ManageEngine Remote Access Plus before 10.1.2121.1 relies on the application's build number to calculate a certain encryption key.
45 CVE-2021-41828 798 2021-09-30 2021-10-05
5.0
None Remote Low Not required Partial None None
Zoho ManageEngine Remote Access Plus before 10.1.2121.1 has hardcoded credentials associated with resetPWD.xml.
46 CVE-2021-41827 798 2021-09-30 2021-10-05
5.0
None Remote Low Not required Partial None None
Zoho ManageEngine Remote Access Plus before 10.1.2121.1 has hardcoded credentials for read-only access. The credentials are in the source code that corresponds to the DCBackupRestore JAR archive.
47 CVE-2021-41288 89 Sql 2021-09-30 2021-10-07
7.5
None Remote Low Not required Partial Partial Partial
Zoho ManageEngine OpManager version 125466 and below is vulnerable to SQL Injection in the getReportData API.
48 CVE-2021-41081 89 Sql 2021-11-11 2022-05-16
7.5
None Remote Low Not required Partial Partial Partial
Zoho ManageEngine Network Configuration Manager before ??125465 is vulnerable to SQL Injection in a configuration search.
49 CVE-2021-41080 89 Sql 2021-11-11 2022-05-16
7.5
None Remote Low Not required Partial Partial Partial
Zoho ManageEngine Network Configuration Manager before ??125465 is vulnerable to SQL Injection in a hardware details search.
50 CVE-2021-41075 89 Sql 2021-10-13 2021-10-19
7.5
None Remote Low Not required Partial Partial Partial
The NetFlow Analyzer in Zoho ManageEngine OpManger before 125455 is vulnerable to SQL Injection in the Attacks Module API.
Total number of vulnerabilities : 375   Page : 1 (This Page)2 3 4 5 6 7 8
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.