| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2020-14048 |
306 |
|
|
2020-06-12 |
2020-06-17 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Zoho ManageEngine ServiceDesk Plus before 11.1 build 11115 allows remote unauthenticated attackers to change the installation status of deployed agents. |
|
2 |
CVE-2020-13818 |
22 |
|
Dir. Trav. Bypass |
2020-06-04 |
2020-06-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
In Zoho ManageEngine OpManager before 125144, when <cachestart> is used, directory traversal validation can be bypassed. |
|
3 |
CVE-2020-12116 |
200 |
|
+Info |
2020-05-07 |
2020-05-12 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Zoho ManageEngine OpManager Stable build before 124196 and Released build before 125125 allows an unauthenticated attacker to read arbitrary files on the server by sending a crafted request. |
|
4 |
CVE-2020-11946 |
200 |
|
+Info |
2020-04-20 |
2020-04-28 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Zoho ManageEngine OpManager before 125120 allows an unauthenticated user to retrieve an API key via a servlet call. |
|
5 |
CVE-2020-11527 |
200 |
|
+Info |
2020-04-04 |
2020-04-06 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
In Zoho ManageEngine OpManager before 12.4.181, an unauthenticated remote attacker can send a specially crafted URI to read arbitrary files. |
|
6 |
CVE-2020-10816 |
287 |
|
|
2020-10-08 |
2020-10-15 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Zoho ManageEngine Applications Manager 14780 and before allows a remote unauthenticated attacker to register managed servers via AAMRequestProcessor servlet. |
|
7 |
CVE-2020-8509 |
200 |
|
+Info |
2020-03-30 |
2020-04-23 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Zoho ManageEngine Desktop Central before 10.0.483 allows unauthenticated users to access PDFGenerationServlet, leading to sensitive information disclosure. |
|
8 |
CVE-2019-19800 |
200 |
|
+Info |
2020-02-06 |
2020-02-11 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Zoho ManageEngine Applications Manager 14 before 14520 allows a remote unauthenticated attacker to disclose OS file names via FailOverHelperServlet. |
|
9 |
CVE-2019-19799 |
200 |
|
+Info |
2020-03-13 |
2020-03-19 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Zoho ManageEngine Applications Manager before 14600 allows a remote unauthenticated attacker to disclose license related information via WieldFeedServlet servlet. |
|
10 |
CVE-2019-18781 |
601 |
|
|
2019-12-18 |
2020-01-06 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
An open redirect vulnerability was discovered in Zoho ManageEngine ADSelfService Plus 5.x before 5809 that allows attackers to force users who click on a crafted link to be sent to a specified external site. |
|
11 |
CVE-2019-15046 |
200 |
|
+Info |
2019-08-14 |
2019-08-21 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Zoho ManageEngine ServiceDesk Plus 10 before 10509 allows unauthenticated sensitive information leakage during Fail Over Service (FOS) replication, aka SD-79989. |
|
12 |
CVE-2019-15045 |
200 |
|
+Info |
2019-08-21 |
2019-08-30 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
** DISPUTED ** AjaxDomainServlet in Zoho ManageEngine ServiceDesk Plus 10 allows User Enumeration. NOTE: the vendor's position is that this is intended functionality. |
|
13 |
CVE-2019-14693 |
611 |
|
|
2019-08-08 |
2019-10-09 |
5.5 |
None |
Remote |
Low |
??? |
Partial |
None |
Partial |
|
Zoho ManageEngine AssetExplorer 6.2.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing license XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. |
|
14 |
CVE-2019-7161 |
326 |
|
|
2019-03-21 |
2019-04-01 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered in Zoho ManageEngine ADSelfService Plus 5.x through build 5704. It uses fixed ciphering keys to protect information, giving the capacity for an attacker to decipher any protected data. |
|
15 |
CVE-2018-19118 |
787 |
|
DoS Overflow |
2018-12-13 |
2020-08-24 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Zoho ManageEngine ADAudit before 5.1 build 5120 allows remote attackers to cause a denial of service (stack-based buffer overflow) via the 'Domain Name' field when adding a new domain. |
|
16 |
CVE-2018-18980 |
611 |
|
|
2018-11-06 |
2019-01-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
An XML External Entity injection (XXE) vulnerability exists in Zoho ManageEngine Network Configuration Manager and OpManager before 12.3.214 via the RequestXML parameter in a /devices/ProcessRequest.do GET request. For example, the attacker can trigger the transmission of local files to an arbitrary remote FTP server. |
|
17 |
CVE-2018-17283 |
89 |
|
Sql |
2018-09-21 |
2018-11-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Zoho ManageEngine OpManager before 12.3 Build 123196 does not require authentication for /oputilsServlet requests, as demonstrated by a /oputilsServlet?action=getAPIKey request that can be leveraged against Firewall Analyzer to add an admin user via /api/json/v2/admin/addUser or conduct a SQL Injection attack via the /api/json/device/setManaged name parameter. |
|
18 |
CVE-2018-12997 |
200 |
|
+Info |
2018-06-29 |
2018-08-20 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Incorrect Access Control in FailOverHelperServlet in Zoho ManageEngine Netflow Analyzer before build 123137, Network Configuration Manager before build 123128, OpManager before build 123148, OpUtils before build 123161, and Firewall Analyzer before build 123147 allows attackers to read certain files on the web server without login by sending a specially crafted request to the server with the operation=copyfile&fileName= substring. |
|
19 |
CVE-2018-11717 |
532 |
|
+Info |
2018-07-16 |
2018-09-19 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered in Zoho ManageEngine Desktop Central before 100251. By leveraging access to a log file, a context-dependent attacker can obtain (depending on the modules configured) the Base64 encoded Password/Username of AD accounts, the cleartext Password/Username and mail settings of the EAS account (an AD account used to send mail), the cleartext password of recovery_password of Android devices, the cleartext password of account "set", the location of devices enrolled in the platform (with UUID and information related to the name of the person at the location), critical information about all enrolled devices such as Serial Number, UUID, Model, Name, and auth_session_token (usable to spoof a terminal identity on the platform), etc. |
|
20 |
CVE-2018-11716 |
532 |
|
|
2018-07-16 |
2018-09-17 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered in Zoho ManageEngine Desktop Central before 100230. There is unauthenticated remote access to all log files of a Desktop Central instance containing critical information (private information such as location of enrolled devices, cleartext passwords, patching level, etc.) via a GET request on port 8022, 8443, or 8444. |
|
21 |
CVE-2018-7248 |
|
|
|
2018-05-11 |
2020-06-30 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3 Build 9317. Unauthenticated users are able to validate domain user accounts by sending a request containing the username to an API endpoint. The endpoint will return the user's logon domain if the accounts exists, or 'null' if it does not. |
|
22 |
CVE-2017-16924 |
330 |
|
Bypass |
2018-02-19 |
2019-10-03 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Remote Information Disclosure and Escalation of Privileges in ManageEngine Desktop Central MSP 10.0.137 allows attackers to download unencrypted XML files containing all data for configuration policies via a predictable /client-data/<client_id>/collections/##/usermgmt.xml URL, as demonstrated by passwords and Wi-Fi keys. This is fixed in build 100157. |
|
23 |
CVE-2017-11559 |
89 |
|
Sql |
2019-05-23 |
2019-05-24 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered in ZOHO ManageEngine OpManager 12.2. The 'apiKey' parameter of "/api/json/admin/getmailserversettings" and "/api/json/dashboard/gotoverviewlist" is vulnerable to a Blind SQL Injection attack. |
|
24 |
CVE-2017-11557 |
200 |
|
+Info |
2019-05-23 |
2019-05-24 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered in ZOHO ManageEngine Applications Manager 12.3. It is possible for an unauthenticated user to view the list of domain names and usernames used in a company's network environment via a userconfiguration.do?method=editUser request. |
|
25 |
CVE-2017-9376 |
20 |
|
File Inclusion |
2019-03-25 |
2019-04-02 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
ManageEngine ServiceDesk Plus before 9314 contains a local file inclusion vulnerability in the defModule parameter in DefaultConfigDef.do and AssetDefaultConfigDef.do. |
|
26 |
CVE-2016-6603 |
20 |
|
Bypass |
2017-01-23 |
2018-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
ZOHO WebNMS Framework 5.2 and 5.2 SP1 allows remote attackers to bypass authentication and impersonate arbitrary users via the UserName HTTP header. |
|
27 |
CVE-2016-6602 |
327 |
|
|
2017-01-23 |
2018-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
ZOHO WebNMS Framework 5.2 and 5.2 SP1 use a weak obfuscation algorithm to store passwords, which allows context-dependent attackers to obtain cleartext passwords by leveraging access to WEB-INF/conf/securitydbData.xml. NOTE: this issue can be combined with CVE-2016-6601 for a remote exploit. |
|
28 |
CVE-2016-6601 |
22 |
|
Dir. Trav. |
2017-01-23 |
2018-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Directory traversal vulnerability in the file download functionality in ZOHO WebNMS Framework 5.2 and 5.2 SP1 allows remote attackers to read arbitrary files via a .. (dot dot) in the fileName parameter to servlets/FetchFile. |
|
29 |
CVE-2016-4890 |
254 |
|
+Info |
2017-04-14 |
2017-05-13 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
ZOHO ManageEngine ServiceDesk Plus before 9.2 uses an insecure method for generating cookies, which makes it easier for attackers to obtain sensitive password information by leveraging access to a cookie. |
|
30 |
CVE-2015-9107 |
310 |
|
|
2017-08-04 |
2017-08-15 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Zoho ManageEngine OpManager 11 through 12.2 uses a custom encryption algorithm to protect the credential used to access the monitored devices. The implemented algorithm doesn't use a per-system key or even a salt; therefore, it's possible to create a universal decryptor. |
|
31 |
CVE-2015-7781 |
275 |
|
|
2017-06-27 |
2017-06-30 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
ManageEngine Firewall Analyzer before 8.0 does not restrict access permissions. |
|
32 |
CVE-2015-5149 |
22 |
|
Dir. Trav. |
2015-06-30 |
2016-12-07 |
5.5 |
None |
Remote |
Low |
??? |
None |
Partial |
Partial |
|
Directory traversal vulnerability in Zoho ManageEngine SupportCenter Plus 7.90 allows remote authenticated users to write to arbitrary files via a .. (dot dot) in the component parameter in the Request component to workorder/Attachment.jsp. |
|
33 |
CVE-2015-4418 |
284 |
|
|
2015-06-09 |
2016-12-31 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Zoho NetFlow Analyzer build 10250 and earlier does not have an off autocomplete attribute for a password field, which makes it easier for remote attackers to obtain access by leveraging an unattended workstation. |
|
34 |
CVE-2015-2560 |
264 |
|
|
2017-08-02 |
2018-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Manage Engine Desktop Central 9 before build 90135 allows remote attackers to change passwords of users with the Administrator role via an addOrModifyUser operation to servlets/DCOperationsServlet. |
|
35 |
CVE-2014-100002 |
22 |
1
|
Dir. Trav. |
2015-01-13 |
2017-09-08 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Directory traversal vulnerability in ManageEngine SupportCenter Plus 7.9 before 7917 allows remote attackers to read arbitrary files via a ..%2f (dot dot encoded slash) in the attach parameter to WorkOrder.do in the file attachment for a new ticket. |
|
36 |
CVE-2014-7863 |
200 |
|
+Info |
2020-02-08 |
2020-02-13 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The FailOverHelperServlet (aka FailServlet) servlet in ZOHO ManageEngine Applications Manager before 11.9 build 11912, OpManager 8 through 11.5 build 11400, and IT360 10.5 and earlier does not properly restrict access, which allows remote attackers and remote authenticated users to (1) read arbitrary files via the fileName parameter in a copyfile operation or (2) obtain sensitive information via a directory listing in a listdirectory operation to servlet/FailOverHelperServlet. |
|
37 |
CVE-2014-6039 |
522 |
|
|
2020-01-13 |
2020-03-26 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
ManageEngine EventLog Analyzer version 7 through 9.9 build 9002 has a Credentials Disclosure Vulnerability. Fixed version 10 Build 10000. |
|
38 |
CVE-2014-6038 |
200 |
|
+Info |
2020-01-13 |
2020-03-26 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Zoho ManageEngine EventLog Analyzer versions 7 through 9.9 build 9002 have a database Information Disclosure Vulnerability. Fixed in EventLog Analyzer 10.0 Build 10000. |
|
39 |
CVE-2014-6034 |
22 |
|
Dir. Trav. |
2014-12-04 |
2014-12-05 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Directory traversal vulnerability in the com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector servlet in ZOHO ManageEngine OpManager 8.8 through 11.3, Social IT Plus 11.0, and IT360 10.4 and earlier allows remote attackers or remote authenticated users to write to and execute arbitrary WAR files via a .. (dot dot) in the regionID parameter. |
|
40 |
CVE-2014-5446 |
22 |
|
Dir. Trav. |
2014-12-04 |
2019-07-15 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Directory traversal vulnerability in the DisplayChartPDF servlet in ZOHO ManageEngine Netflow Analyzer 8.6 through 10.2 and IT360 10.3 allows remote attackers and remote authenticated users to read arbitrary files via a .. (dot dot) in the filename parameter. |
|
41 |
CVE-2014-5445 |
22 |
|
Dir. Trav. |
2014-12-04 |
2019-07-15 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Multiple absolute path traversal vulnerabilities in ZOHO ManageEngine Netflow Analyzer 8.6 through 10.2 and IT360 10.3 allow remote attackers or remote authenticated users to read arbitrary files via a full pathname in the schFilePath parameter to the (1) CSVServlet or (2) CReportPDFServlet servlet. |
|
42 |
CVE-2010-3273 |
20 |
|
|
2011-02-17 |
2018-10-10 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
ZOHO ManageEngine ADSelfService Plus before 4.5 Build 4500 allows remote attackers to reset user passwords, and consequently obtain access to arbitrary user accounts, by providing a user id to accounts/ValidateUser, and then providing a new password to accounts/ResetResult. |
