| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2022-24681 |
79 |
|
XSS |
2022-04-07 |
2022-10-06 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Zoho ManageEngine ADSelfService Plus before 6121 allows XSS via the welcome name attribute to the Reset Password, Unlock Account, or User Must Change Password screen. |
|
2 |
CVE-2022-24447 |
200 |
|
+Info |
2022-03-02 |
2022-03-09 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
An issue was discovered in Zoho ManageEngine Key Manager Plus before 6200. A service exposed by the application allows a user, with the level Operator, to access stored SSL certificates and associated key pairs during export. |
|
3 |
CVE-2022-23863 |
269 |
|
|
2022-01-28 |
2022-02-02 |
4.0 |
None |
Remote |
Low |
??? |
None |
Partial |
None |
|
Zoho ManageEngine Desktop Central before 10.1.2137.10 allows an authenticated user to change any user's login password. |
|
4 |
CVE-2021-46166 |
200 |
|
+Info |
2022-01-10 |
2022-01-13 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
Zoho ManageEngine Desktop Central before 10.0.662 allows authenticated users to obtain sensitive information from the database by visiting the Reports page. |
|
5 |
CVE-2021-46165 |
|
|
|
2022-01-10 |
2022-01-14 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
Zoho ManageEngine Desktop Central before 10.0.662, during startup, launches an executable file from the batch files, but this file's path might not be properly defined. |
|
6 |
CVE-2021-43295 |
79 |
|
XSS |
2021-11-30 |
2022-04-27 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Zoho ManageEngine SupportCenter Plus before 11016 is vulnerable to Reflected XSS in the Accounts module. |
|
7 |
CVE-2021-43294 |
79 |
|
XSS |
2021-11-30 |
2022-04-27 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Zoho ManageEngine SupportCenter Plus before 11016 is vulnerable to Reflected XSS in the Products module. |
|
8 |
CVE-2021-40178 |
79 |
|
XSS |
2021-08-29 |
2021-09-01 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Zoho ManageEngine Log360 before Build 5224 allows stored XSS via the LOGO_PATH key value in the logon settings. |
|
9 |
CVE-2021-40176 |
79 |
|
XSS |
2021-08-29 |
2021-09-01 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Zoho ManageEngine Log360 before Build 5225 allows stored XSS. |
|
10 |
CVE-2021-37420 |
306 |
|
|
2021-09-21 |
2022-07-12 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Zoho ManageEngine ADSelfService Plus before 6112 is vulnerable to mail spoofing. |
|
11 |
CVE-2021-37416 |
79 |
|
XSS |
2021-08-30 |
2021-09-02 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Zoho ManageEngine ADSelfService Plus version 6103 and prior is vulnerable to reflected XSS on the loadframe page. |
|
12 |
CVE-2021-36772 |
79 |
|
XSS |
2021-07-17 |
2021-07-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Zoho ManageEngine ADManager Plus before 7110 allows stored XSS. |
|
13 |
CVE-2021-36771 |
79 |
|
XSS |
2021-07-17 |
2021-07-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Zoho ManageEngine ADManager Plus before 7110 allows reflected XSS. |
|
14 |
CVE-2021-31874 |
|
|
+Info |
2021-07-02 |
2022-04-12 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Zoho ManageEngine ADSelfService Plus before 6104, in rare situations, allows attackers to obtain sensitive information about the password-sync database application. |
|
15 |
CVE-2021-31857 |
|
|
|
2021-06-16 |
2022-07-12 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
In Zoho ManageEngine Password Manager Pro before 11.1 build 11104, attackers are able to retrieve credentials via a browser extension for non-website resource types. |
|
16 |
CVE-2021-27956 |
79 |
|
XSS |
2021-05-20 |
2021-05-26 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Zoho ManageEngine ADSelfService Plus before 6104 allows stored XSS on the /webclient/index.html#/directory-search user search page via the e-mail address field. |
|
17 |
CVE-2021-27214 |
79 |
|
XSS |
2021-02-19 |
2022-07-12 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
A Server-side request forgery (SSRF) vulnerability in the ProductConfig servlet in Zoho ManageEngine ADSelfService Plus through 6013 allows a remote unauthenticated attacker to perform blind HTTP requests or perform a Cross-site scripting (XSS) attack against the administrative interface via an HTTP request, a different vulnerability than CVE-2019-3905. |
|
18 |
CVE-2021-20080 |
79 |
|
XSS |
2021-04-09 |
2021-04-19 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Insufficient output sanitization in ManageEngine ServiceDesk Plus before version 11200 and ManageEngine AssetExplorer before version 6800 allows a remote, unauthenticated attacker to conduct persistent cross-site scripting (XSS) attacks by uploading a crafted XML asset file. |
|
19 |
CVE-2020-35594 |
79 |
|
XSS |
2021-03-05 |
2021-03-11 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Zoho ManageEngine ADManager Plus before 7066 allows XSS. |
|
20 |
CVE-2020-15595 |
732 |
|
+Info |
2020-09-30 |
2021-07-21 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
An issue was discovered in Zoho Application Control Plus before version 10.0.511. The Element Configuration feature (to configure elements included in the scope of elements managed by the product) allows an attacker to retrieve the entire list of the IP ranges and subnets configured in the product and consequently obtain information about the cartography of the internal networks to which the product has access. |
|
21 |
CVE-2020-15594 |
200 |
|
+Info |
2020-09-30 |
2021-07-21 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
An SSRF issue was discovered in Zoho Application Control Plus before version 10.0.511. The mail gateway configuration feature allows an attacker to perform a scan in order to discover open ports on a machine as well as available machines on the network segment on which the instance of the product is deployed. |
|
22 |
CVE-2020-15521 |
79 |
|
XSS |
2020-09-25 |
2020-09-30 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Zoho ManageEngine Applications Manager before 14 build 14730 has no protection against jsp/header.jsp Cross-site Scripting (XSS) . |
|
23 |
CVE-2020-13154 |
522 |
|
|
2020-05-18 |
2021-07-21 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
Zoho ManageEngine Service Plus before 11.1 build 11112 allows low-privilege authenticated users to discover the File Protection password via a getFileProtectionSettings call to AjaxServlet. |
|
24 |
CVE-2020-10859 |
22 |
|
Dir. Trav. |
2020-05-05 |
2020-05-12 |
4.0 |
None |
Remote |
Low |
??? |
None |
Partial |
None |
|
Zoho ManageEngine Desktop Central before 10.0.484 allows authenticated arbitrary file writes during ZIP archive extraction via Directory Traversal in a crafted AppDependency API request. |
|
25 |
CVE-2020-8838 |
354 |
|
Exec Code |
2020-03-23 |
2022-10-07 |
4.9 |
None |
Local Network |
Medium |
??? |
Partial |
Partial |
Partial |
|
An issue was discovered in Zoho ManageEngine AssetExplorer 6.5. During an upgrade of the Windows agent, it does not validate the source and binary downloaded. This allows an attacker on an adjacent network to execute code with NT AUTHORITY/SYSTEM privileges on the agent machines by providing an arbitrary executable via a man-in-the-middle attack. |
|
26 |
CVE-2020-8422 |
522 |
|
|
2020-01-31 |
2021-07-21 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
An authorization issue was discovered in the Credential Manager feature in Zoho ManageEngine Remote Access Plus before 10.0.450. A user with the Guest role can extract the collection of all defined credentials of remote machines: the credential name, credential type, user name, domain/workgroup name, and description (but not the password). |
|
27 |
CVE-2019-20474 |
918 |
|
|
2020-02-17 |
2022-01-01 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
An issue was discovered in Zoho ManageEngine Remote Access Plus 10.0.447. The service to test the mail-server configuration suffers from an authorization issue allowing a user with the Guest role (read-only access) to use and abuse it. One of the abuses allows performing network and port scan operations of the localhost or the hosts on the same network segment, aka SSRF. |
|
28 |
CVE-2019-19774 |
|
|
Bypass |
2019-12-13 |
2023-02-15 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
An issue was discovered in Zoho ManageEngine EventLog Analyzer 10.0 SP1 before Build 12110. By running "select hostdetails from hostdetails" at the /event/runquery.do endpoint, it is possible to bypass the security restrictions that prevent even administrative users from viewing credential data stored in the database, and recover the MD5 hashes of the accounts used to authenticate the ManageEngine platform to the managed machines on the network (most often administrative accounts). Specifically, this bypasses these restrictions: a query cannot mention password, and a query result cannot have a password column. |
|
29 |
CVE-2019-17112 |
552 |
|
|
2019-10-09 |
2019-11-20 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
An issue was discovered in Zoho ManageEngine DataSecurity Plus before 5.0.1 5012. An exposed service allows a basic user ("Operator" access level) to access the configuration file of the mail server (except for the password). |
|
30 |
CVE-2019-15510 |
79 |
|
XSS |
2020-03-23 |
2023-02-03 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
ManageEngine_DesktopCentral.exe in Zoho ManageEngine Desktop Central 10 allows HTML injection on the user administration page via the description of a role. |
|
31 |
CVE-2019-15083 |
79 |
|
Exec Code XSS |
2020-05-14 |
2020-05-19 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Default installations of Zoho ManageEngine ServiceDesk Plus 10.0 before 10500 are vulnerable to XSS injected by a workstation local administrator. Using the installed program names of the computer as a vector, the local administrator can execute code on the Manage Engine ServiceDesk administrator side. At "Asset Home > Server > <workstation> > software" the administrator of ManageEngine can control what software is installed on the workstation. This table shows all the installed program names in the Software column. In this field, a remote attacker can inject malicious code in order to execute it when the ManageEngine administrator visualizes this page. |
|
32 |
CVE-2019-12597 |
79 |
|
XSS |
2019-07-11 |
2023-03-01 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
An issue was discovered in Zoho ManageEngine AssetExplorer. There is XSS via ResourcesAttachments.jsp with the parameter pageName. |
|
33 |
CVE-2019-12596 |
79 |
|
XSS |
2019-07-11 |
2023-03-01 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
An issue was discovered in Zoho ManageEngine AssetExplorer. There is XSS via SoftwareListView.do with the parameter swType or swComplianceType. |
|
34 |
CVE-2019-12595 |
79 |
|
XSS |
2019-07-11 |
2023-03-01 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
An issue was discovered in Zoho ManageEngine AssetExplorer. There is XSS via the RCSettings.do rdsName parameter. |
|
35 |
CVE-2019-12543 |
79 |
|
XSS |
2019-06-05 |
2019-06-06 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the PurchaseRequest.do serviceRequestId parameter. |
|
36 |
CVE-2019-12542 |
79 |
|
XSS |
2019-06-05 |
2019-06-06 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SearchN.do userConfigID parameter. |
|
37 |
CVE-2019-12541 |
79 |
|
XSS |
2019-06-05 |
2019-06-06 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SolutionSearch.do searchText parameter. |
|
38 |
CVE-2019-12540 |
79 |
|
XSS |
2019-07-11 |
2019-07-15 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
An issue was discovered in Zoho ManageEngine ServiceDesk Plus 10.5. There is XSS via the WorkOrder.do search field. |
|
39 |
CVE-2019-12539 |
79 |
|
XSS |
2019-07-11 |
2021-01-13 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
An issue was discovered in the Purchase component of Zoho ManageEngine ServiceDesk Plus. There is XSS via the SearchN.do search field, a different vulnerability than CVE-2019-12189. |
|
40 |
CVE-2019-12538 |
79 |
|
XSS |
2019-06-05 |
2019-06-06 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SiteLookup.do search field. |
|
41 |
CVE-2019-12537 |
79 |
|
XSS |
2019-07-11 |
2023-03-01 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
An issue was discovered in Zoho ManageEngine AssetExplorer. There is XSS via the SearchN.do search field. |
|
42 |
CVE-2019-12252 |
639 |
|
|
2019-05-21 |
2023-03-01 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
In Zoho ManageEngine ServiceDesk Plus through 10.5, users with the lowest privileges (guest) can view an arbitrary post by appending its number to the SDNotify.do?notifyModule=Solution&mode=E-Mail¬ifyTo=SOLFORWARD&id= substring. |
|
43 |
CVE-2019-12189 |
79 |
|
XSS |
2019-05-21 |
2019-05-23 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SearchN.do search field. |
|
44 |
CVE-2019-11676 |
79 |
|
XSS |
2019-05-02 |
2019-05-03 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The user defined DNS name in Zoho ManageEngine Firewall Analyzer before 12.3 Build 123224 is vulnerable to stored XSS attacks. |
|
45 |
CVE-2019-11511 |
79 |
|
XSS |
2019-04-25 |
2019-06-03 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Zoho ManageEngine ADSelfService Plus before build 5708 has XSS via the mobile app API. |
|
46 |
CVE-2019-10273 |
287 |
|
+Info |
2019-04-04 |
2020-08-24 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
Information leakage vulnerability in the /mc login page in ManageEngine ServiceDesk Plus 9.3 software allows authenticated users to enumerate active users. Due to a flaw within the way the authentication is handled, an attacker is able to login and verify any active account. |
|
47 |
CVE-2019-8929 |
79 |
|
XSS |
2019-05-17 |
2019-05-17 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
An issue was discovered in Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2. XSS exists in the Administration zone /netflow/jspui/selectDevice.jsp file in these GET parameters: param and rtype. |
|
48 |
CVE-2019-8928 |
79 |
|
XSS |
2019-05-17 |
2019-05-17 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
An issue was discovered in Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2. XSS exists in /netflow/jspui/userManagementForm.jsp via these GET parameters: authMeth, passWord, pwd1, and userName. |
|
49 |
CVE-2019-8927 |
79 |
|
XSS |
2019-05-17 |
2019-05-17 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
An issue was discovered in Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2. XSS exists in the Administration zone /netflow/jspui/scheduleConfig.jsp file via these GET parameters: devSrc, emailId, excWeekModify, filterFlag, getFilter, mailReport, mset, popup, rep_schedule, rep_Type, schDesc, schName, schSource, selectDeviceDone, task, val10, and val11. |
|
50 |
CVE-2019-8926 |
79 |
|
XSS |
2019-05-17 |
2019-05-17 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
An issue was discovered in Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2. XSS exists in the Administration zone /netflow/jspui/popup1.jsp file via these GET parameters: bussAlert, customDev, and selSource. |
