CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Zohocorp : Security Vulnerabilities

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2021-28959 22 Exec Code Dir. Trav. 2021-04-30 2021-05-11
7.5
None Remote Low Not required Partial Partial Partial
Zoho ManageEngine Eventlog Analyzer through 12147 is vulnerable to unauthenticated directory traversal via an entry in a ZIP archive. This leads to remote code execution.
2 CVE-2021-27956 79 XSS 2021-05-20 2021-05-26
4.3
None Remote Medium Not required None Partial None
Zoho ManageEngine ADSelfService Plus before 6104 allows stored XSS on the /webclient/index.html#/directory-search user search page via the e-mail address field.
3 CVE-2021-27214 79 XSS 2021-02-19 2021-02-26
4.3
None Remote Medium Not required None Partial None
A Server-side request forgery (SSRF) vulnerability in the ProductConfig servlet in Zoho ManageEngine ADSelfService Plus through 6013 allows a remote unauthenticated attacker to perform blind HTTP requests or perform a Cross-site scripting (XSS) attack against the administrative interface via an HTTP request, a different vulnerability than CVE-2019-3905.
4 CVE-2021-20080 79 XSS 2021-04-09 2021-04-19
4.3
None Remote Medium Not required None Partial None
Insufficient output sanitization in ManageEngine ServiceDesk Plus before version 11200 and ManageEngine AssetExplorer before version 6800 allows a remote, unauthenticated attacker to conduct persistent cross-site scripting (XSS) attacks by uploading a crafted XML asset file.
5 CVE-2021-20078 22 DoS Dir. Trav. 2021-04-01 2021-04-06
9.4
None Remote Low Not required None Complete Complete
Manage Engine OpManager builds below 125346 are vulnerable to a remote denial of service vulnerability due to a path traversal issue in spark gateway component. This allows a remote attacker to remotely delete any directory or directories on the OS.
6 CVE-2021-3287 502 Exec Code Bypass 2021-04-22 2021-04-30
7.5
None Remote Low Not required Partial Partial Partial
Zoho ManageEngine OpManager before 12.5.329 allows unauthenticated Remote Code Execution due to a general bypass in the deserialization class.
7 CVE-2020-35765 89 Sql 2021-02-05 2021-02-17
6.5
None Remote Low ??? Partial Partial Partial
doFilter in com.adventnet.appmanager.filter.UriCollector in Zoho ManageEngine Applications Manager through 14930 allows an authenticated SQL Injection via the resourceid parameter to showresource.do.
8 CVE-2020-35682 863 Bypass 2021-03-13 2021-03-18
6.5
None Remote Low ??? Partial Partial Partial
Zoho ManageEngine ServiceDesk Plus before 11134 allows an Authentication Bypass (only during SAML login).
9 CVE-2020-35594 79 XSS 2021-03-05 2021-03-11
4.3
None Remote Medium Not required None Partial None
Zoho ManageEngine ADManager Plus before 7066 allows XSS.
10 CVE-2020-29658 326 2021-03-05 2021-03-12
7.5
None Remote Low Not required Partial Partial Partial
Zoho ManageEngine Application Control Plus before 100523 has an insecure SSL configuration setting for Nginx, leading to Privilege Escalation.
11 CVE-2020-28653 Exec Code 2021-02-03 2021-02-05
7.5
None Remote Low Not required Partial Partial Partial
Zoho ManageEngine OpManager Stable build before 125203 (and Released build before 125233) allows Remote Code Execution via the Smart Update Manager (SUM) servlet.
12 CVE-2020-28050 863 2021-03-05 2021-03-12
6.4
None Remote Low Not required Partial Partial None
Zoho ManageEngine Desktop Central before build 10.0.647 allows a single authentication secret from multiple agents to communicate with the server.
13 CVE-2020-27995 89 Exec Code Sql 2020-10-29 2020-11-03
7.5
None Remote Low Not required Partial Partial Partial
SQL Injection in Zoho ManageEngine Applications Manager 14 before 14560 allows an attacker to execute commands on the server via the MyPage.do template_resid parameter.
14 CVE-2020-27733 89 Sql 2021-01-19 2021-01-26
6.5
None Remote Low ??? Partial Partial Partial
Zoho ManageEngine Applications Manager before 14 build 14880 allows an authenticated SQL Injection via a crafted Alarmview request.
15 CVE-2020-24786 287 Bypass 2020-08-31 2020-09-10
10.0
None Remote Low Not required Complete Complete Complete
An issue was discovered in Zoho ManageEngine Exchange Reporter Plus before build number 5510, AD360 before build number 4228, ADSelfService Plus before build number 5817, DataSecurity Plus before build number 6033, RecoverManager Plus before build number 6017, EventLog Analyzer before build number 12136, ADAudit Plus before build number 6052, O365 Manager Plus before build number 4334, Cloud Security Plus before build number 4110, ADManager Plus before build number 7055, and Log360 before build number 5166. The remotely accessible Java servlet com.manageengine.ads.fw.servlet.UpdateProductDetails is prone to an authentication bypass. System integration properties can be modified and lead to full ManageEngine suite compromise.
16 CVE-2020-24397 190 Exec Code Overflow 2020-10-02 2020-10-09
9.0
None Remote Low ??? Complete Complete Complete
An issue was discovered in the client side of Zoho ManageEngine Desktop Central 10.0.0.SP-534. An attacker-controlled server can trigger an integer overflow in InternetSendRequestEx and InternetSendRequestByBitrate that leads to a heap-based buffer overflow and Remote Code Execution with SYSTEM privileges.
17 CVE-2020-16267 89 Sql 2020-10-06 2020-10-14
6.5
None Remote Low ??? Partial Partial Partial
Zoho ManageEngine Applications Manager version 14740 and prior allows an authenticated SQL Injection via a crafted jsp request in the RCA module.
18 CVE-2020-15927 89 Sql 2020-10-06 2020-10-14
6.5
None Remote Low ??? Partial Partial Partial
Zoho ManageEngine Applications Manager version 14740 and prior allows an authenticated SQL Injection via a crafted jsp request in the SAP module.
19 CVE-2020-15595 732 +Info 2020-09-30 2020-10-19
4.0
None Remote Low ??? Partial None None
An issue was discovered in Zoho Application Control Plus before version 10.0.511. The Element Configuration feature (to configure elements included in the scope of elements managed by the product) allows an attacker to retrieve the entire list of the IP ranges and subnets configured in the product and consequently obtain information about the cartography of the internal networks to which the product has access.
20 CVE-2020-15594 200 +Info 2020-09-30 2020-10-13
4.0
None Remote Low ??? Partial None None
An SSRF issue was discovered in Zoho Application Control Plus before version 10.0.511. The mail gateway configuration feature allows an attacker to perform a scan in order to discover open ports on a machine as well as available machines on the network segment on which the instance of the product is deployed.
21 CVE-2020-15589 Exec Code 2020-10-02 2020-10-09
6.8
None Remote Medium Not required Partial Partial Partial
A design issue was discovered in GetInternetRequestHandle, InternetSendRequestEx and InternetSendRequestByBitrate in the client side of Zoho ManageEngine Desktop Central 10.0.552.W. By exploiting this issue, an attacker-controlled server can force the client to skip TLS certificate validation, leading to a man-in-the-middle attack against HTTPS and unauthenticated remote code execution.
22 CVE-2020-15588 190 Exec Code Overflow 2020-07-29 2021-04-21
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in the client side of Zoho ManageEngine Desktop Central 10.0.552.W. An attacker-controlled server can trigger an integer overflow in InternetSendRequestEx and InternetSendRequestByBitrate that leads to a heap-based buffer overflow and Remote Code Execution with SYSTEM privileges. This issue will occur only when untrusted communication is initiated with server. In cloud, Agent will always connect with trusted communication.
23 CVE-2020-15533 89 Sql 2020-10-01 2020-10-13
7.5
None Remote Low Not required Partial Partial Partial
In Zoho ManageEngine Application Manager 14.7 Build 14730 (before 14684, and between 14689 and 14750), the AlarmEscalation module is vulnerable to unauthenticated SQL Injection attack.
24 CVE-2020-15521 79 XSS 2020-09-25 2020-09-30
4.3
None Remote Medium Not required None Partial None
Zoho ManageEngine Applications Manager before 14 build 14730 has no protection against jsp/header.jsp Cross-site Scripting (XSS) .
25 CVE-2020-15394 89 Exec Code Sql 2020-09-25 2020-09-30
7.5
None Remote Low Not required Partial Partial Partial
The REST API in Zoho ManageEngine Applications Manager before build 14740 allows an unauthenticated SQL Injection via a crafted request, leading to Remote Code Execution.
26 CVE-2020-14048 306 2020-06-12 2020-06-17
5.0
None Remote Low Not required None Partial None
Zoho ManageEngine ServiceDesk Plus before 11.1 build 11115 allows remote unauthenticated attackers to change the installation status of deployed agents.
27 CVE-2020-14008 434 Exec Code 2020-09-04 2020-09-16
6.5
None Remote Low ??? Partial Partial Partial
Zoho ManageEngine Applications Manager 14710 and before allows an authenticated admin user to upload a vulnerable jar in a specific location, which leads to remote code execution.
28 CVE-2020-13818 22 Dir. Trav. Bypass 2020-06-04 2020-06-09
5.0
None Remote Low Not required Partial None None
In Zoho ManageEngine OpManager before 125144, when <cachestart> is used, directory traversal validation can be bypassed.
29 CVE-2020-13154 522 2020-05-18 2020-05-19
4.0
None Remote Low ??? Partial None None
Zoho ManageEngine Service Plus before 11.1 build 11112 allows low-privilege authenticated users to discover the File Protection password via a getFileProtectionSettings call to AjaxServlet.
30 CVE-2020-12116 200 +Info 2020-05-07 2020-05-12
5.0
None Remote Low Not required Partial None None
Zoho ManageEngine OpManager Stable build before 124196 and Released build before 125125 allows an unauthenticated attacker to read arbitrary files on the server by sending a crafted request.
31 CVE-2020-11946 200 +Info 2020-04-20 2020-04-28
5.0
None Remote Low Not required Partial None None
Zoho ManageEngine OpManager before 125120 allows an unauthenticated user to retrieve an API key via a servlet call.
32 CVE-2020-11552 269 2020-08-11 2020-08-13
10.0
None Remote Low Not required Complete Complete Complete
An elevation of privilege vulnerability exists in ManageEngine ADSelfService Plus before build 6003 because it does not properly enforce user privileges associated with a Certificate dialog. This vulnerability could allow an unauthenticated attacker to escalate privileges on a Windows host. An attacker does not require any privilege on the target system in order to exploit this vulnerability. One option is the self-service option on the Windows login screen. Upon selecting this option, the thick-client software is launched, which connects to a remote ADSelfService Plus server to facilitate self-service operations. An unauthenticated attacker having physical access to the host could trigger a security alert by supplying a self-signed SSL certificate to the client. The View Certificate option from the security alert allows an attacker to export a displayed certificate to a file. This can further cascade to a dialog that can open Explorer as SYSTEM. By navigating from Explorer to \windows\system32, cmd.exe can be launched as a SYSTEM.
33 CVE-2020-11532 287 Bypass 2020-05-08 2020-08-21
10.0
None Remote Low Not required Complete Complete Complete
Zoho ManageEngine DataSecurity Plus prior to 6.0.1 uses default admin credentials to communicate with a DataEngine Xnode server. This allows an attacker to bypass authentication for this server and execute all operations in the context of admin user.
34 CVE-2020-11531 22 Exec Code Dir. Trav. 2020-05-08 2020-05-18
6.5
None Remote Low ??? Partial Partial Partial
The DataEngine Xnode Server application in Zoho ManageEngine DataSecurity Plus prior to 6.0.1 does not validate the database schema name when handling a DR-SCHEMA-SYNC request. This allows an authenticated attacker to execute code in the context of the product by writing a JSP file to the webroot directory via directory traversal.
35 CVE-2020-11527 200 +Info 2020-04-04 2020-04-06
5.0
None Remote Low Not required Partial None None
In Zoho ManageEngine OpManager before 12.4.181, an unauthenticated remote attacker can send a specially crafted URI to read arbitrary files.
36 CVE-2020-11518 Exec Code 2020-04-04 2020-04-06
7.5
None Remote Low Not required Partial Partial Partial
Zoho ManageEngine ADSelfService Plus before 5815 allows unauthenticated remote code execution.
37 CVE-2020-10859 22 Dir. Trav. 2020-05-05 2020-05-12
4.0
None Remote Low ??? None Partial None
Zoho ManageEngine Desktop Central before 10.0.484 allows authenticated arbitrary file writes during ZIP archive extraction via Directory Traversal in a crafted AppDependency API request.
38 CVE-2020-10816 287 2020-10-08 2020-10-15
5.0
None Remote Low Not required None Partial None
Zoho ManageEngine Applications Manager 14780 and before allows a remote unauthenticated attacker to register managed servers via AAMRequestProcessor servlet.
39 CVE-2020-10541 20 Exec Code 2020-03-13 2020-03-18
7.5
None Remote Low Not required Partial Partial Partial
Zoho ManageEngine OpManager before 12.4.179 allows remote code execution via a specially crafted Mail Server Settings v1 API request. This was fixed in 12.5.108.
40 CVE-2020-10189 502 Exec Code 2020-03-06 2020-03-09
10.0
None Remote Low Not required Complete Complete Complete
Zoho ManageEngine Desktop Central before 10.0.474 allows remote code execution because of deserialization of untrusted data in getChartImage in the FileStorage class. This is related to the CewolfServlet and MDMLogUploaderServlet servlets.
41 CVE-2020-9367 427 2021-03-18 2021-03-25
6.9
None Local Medium Not required Complete Complete Complete
The MPS Agent in Zoho ManageEngine Desktop Central MSP build MSP build 10.0.486 is vulnerable to DLL Hijacking: dcinventory.exe and dcconfig.exe try to load CSUNSAPI.dll without supplying the complete path. The issue is aggravated because this DLL is missing from the installation, thus making it possible to hijack the DLL and subsequently inject code, leading to an escalation of privilege to NT AUTHORITY\SYSTEM.
42 CVE-2020-9347 74 2020-03-16 2020-03-20
7.5
None Remote Low Not required Partial Partial Partial
** DISPUTED ** Zoho ManageEngine Password Manager Pro through 10.x has a CSV Excel Macro Injection vulnerability via a crafted name that is mishandled by the Export Passwords feature. NOTE: the vendor disputes the significance of this report because they expect CSV risk mitigation to be provided by an external application, and do not plan to add CSV constraints to their own products.
43 CVE-2020-9346 352 CSRF 2020-03-16 2020-03-20
6.8
None Remote Medium Not required Partial Partial Partial
Zoho ManageEngine Password Manager Pro 10.4 and prior has no protection against Cross-site Request Forgery (CSRF) attacks, as demonstrated by changing a user's role.
44 CVE-2020-8838 354 Exec Code 2020-03-23 2020-05-08
4.9
None Local Network Medium ??? Partial Partial Partial
An issue was discovered in Zoho ManageEngine AssetExplorer 6.5. During an upgrade of the Windows agent, it does not validate the source and binary downloaded. This allows an attacker on an adjacent network to execute code with NT AUTHORITY/SYSTEM privileges on the agent machines by providing an arbitrary executable via a man-in-the-middle attack.
45 CVE-2020-8540 611 2020-03-11 2020-03-13
7.5
None Remote Low Not required Partial Partial Partial
An XML external entity (XXE) vulnerability in Zoho ManageEngine Desktop Central before the 07-Mar-2020 update allows remote unauthenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request.
46 CVE-2020-8509 200 +Info 2020-03-30 2020-04-23
5.0
None Remote Low Not required Partial None None
Zoho ManageEngine Desktop Central before 10.0.483 allows unauthenticated users to access PDFGenerationServlet, leading to sensitive information disclosure.
47 CVE-2020-8422 522 2020-01-31 2020-02-04
4.0
None Remote Low ??? Partial None None
An authorization issue was discovered in the Credential Manager feature in Zoho ManageEngine Remote Access Plus before 10.0.450. A user with the Guest role can extract the collection of all defined credentials of remote machines: the credential name, credential type, user name, domain/workgroup name, and description (but not the password).
48 CVE-2020-6843 79 XSS 2020-01-23 2020-01-27
3.5
None Remote Medium ??? None Partial None
Zoho ManageEngine ServiceDesk Plus 11.0 Build 11007 allows XSS. This issue was fixed in version 11.0 Build 11010, SD-83959.
49 CVE-2019-20474 918 2020-02-17 2020-02-20
4.0
None Remote Low ??? Partial None None
An issue was discovered in Zoho ManageEngine Remote Access Plus 10.0.447. The service to test the mail-server configuration suffers from an authorization issue allowing a user with the Guest role (read-only access) to use and abuse it. One of the abuses allows performing network and port scan operations of the localhost or the hosts on the same network segment, aka SSRF.
50 CVE-2019-19800 200 +Info 2020-02-06 2020-02-11
5.0
None Remote Low Not required Partial None None
Zoho ManageEngine Applications Manager 14 before 14520 allows a remote unauthenticated attacker to disclose OS file names via FailOverHelperServlet.
Total number of vulnerabilities : 261   Page : 1 (This Page)2 3 4 5 6
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.