Zohocorp : Security Vulnerabilities CVSS score between 5 and 5.99

Zoho ManageEngine Support Center Plus 14001 and below is vulnerable to stored XSS in the products module.
Max Base Score
5.4
Published 2023-07-28
Updated 2023-08-03
EPSS 0.57%
Zoho ManageEngine ADAudit Plus before 7100 allows XSS via the username field.
Max Base Score
5.4
Published 2023-07-07
Updated 2023-07-12
EPSS 0.85%
Zoho ManageEngine ServiceDesk Plus before 14202, ServiceDesk Plus MSP before 14300, and SupportCenter Plus before 14300 have a privilege escalation vulnerability in the Release module that allows unprivileged users to access the Reminders of a release ticket and make modifications.
Max Base Score
5.4
Published 2023-07-07
Updated 2023-07-13
EPSS 0.34%
The Zoho Forms WordPress plugin before 3.0.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
Max Base Score
5.4
Published 2023-02-13
Updated 2023-02-15
EPSS 1.41%
A blind XML External Entity (XXE) vulnerability exists in the Add UCS Device functionality of ManageEngine OpManager 12.6.168. A specially crafted XML file can lead to SSRF. An attacker can serve a malicious XML payload to trigger this vulnerability.
Max Base Score
5.8
Published 2023-03-30
Updated 2023-04-05
EPSS 1.34%
Zoho ManageEngine ADSelfService Plus before 6202 allows attackers to perform username enumeration via a crafted POST request to /ServletAPI/accounts/login.
Max Base Score
5.3
Published 2022-05-20
Updated 2022-07-02
EPSS 0.07%
Zoho ManageEngine Remote Access Plus before 10.1.2137.15 allows guest users to view license details.
Max Base Score
5.3
Published 2022-04-16
Updated 2022-10-27
EPSS 0.18%
Zoho ManageEngine Remote Access Plus before 10.1.2137.15 allows guest users to view domain details (such as the username and GUID of an administrator).
Max Base Score
5.3
Published 2022-04-16
Updated 2022-10-27
EPSS 0.18%
Zoho ManageEngine SupportCenter Plus before 11020 allows Stored XSS in the request history.
Max Base Score
5.4
Published 2022-04-05
Updated 2022-10-07
EPSS 0.11%
Zoho ManageEngine ServiceDesk Plus before 13001 allows anyone to know the organisation's default currency name.
Max Base Score
5.3
Published 2022-04-05
Updated 2022-06-07
EPSS 0.10%
Zoho ManageEngine Desktop Central before 10.1.2137.8 exposes the installed server name to anyone. The internal hostname can be discovered by reading HTTP redirect responses.
Max Base Score
5.3
Published 2022-03-02
Updated 2022-03-09
EPSS 1.25%
Zoho ManageEngine ADManager Plus version 7110 and prior is vulnerable to path traversal which allows copying of files from one directory to another.
Max Base Score
5.3
Published 2021-10-07
Updated 2021-10-15
EPSS 0.14%
A Cross-Site Scripting (XSS) attack can cause arbitrary code (JavaScript) to run in a user’s browser while the browser is connected to a trusted website. The attack targets your application's users and not the application itself while using your application as the attack's vehicle. The XSS payload executes whenever the user changes the form values or deletes a created form in Zoho CRM Lead Magnet Version 1.7.2.4.
Max Base Score
5.4
Published 2021-10-05
Updated 2021-10-14
EPSS 0.13%
Zoho ManageEngine Password Manager Pro before 11.2 11200 allows login/AjaxResponse.jsp?RequestType=GetUserDomainName&userName= username enumeration, because the response (to a failed login request) is null only when the username is invalid.
Max Base Score
5.3
Published 2021-07-31
Updated 2021-08-10
EPSS 0.12%
Zoho ManageEngine ADSelfService Plus before 6104, in rare situations, allows attackers to obtain sensitive information about the password-sync database application.
Max Base Score
5.9
Published 2021-07-02
Updated 2022-04-12
EPSS 0.80%
In Zoho ManageEngine Password Manager Pro before 11.1 build 11104, attackers are able to retrieve credentials via a browser extension for non-website resource types.
Max Base Score
5.9
Published 2021-06-16
Updated 2022-07-12
EPSS 0.21%
Zoho ManageEngine Applications Manager before 15130 is vulnerable to Stored XSS while importing malicious user details (e.g., a crafted user name) from AD.
Max Base Score
5.4
Published 2021-07-01
Updated 2021-09-21
EPSS 0.24%
Zoho ManageEngine ServiceDesk Plus MSP before 10519 is vulnerable to a User Enumeration bug due to improper error-message generation in the Forgot Password functionality, aka SDPMSP-15732.
Max Base Score
5.3
Published 2021-06-16
Updated 2021-07-09
EPSS 2.41%
Zoho ManageEngine Key Manager Plus before 6001 allows Stored XSS on the user-management page while importing malicious user details from AD.
Max Base Score
5.4
Published 2021-06-07
Updated 2021-06-14
EPSS 0.24%
ManageEngine ADSelfService Plus below build 6116 contains an observable response discrepancy in the UMCP operation of the ChangePasswordAPI. This allows an unauthenticated remote attacker to determine whether a Windows domain user exists.
Max Base Score
5.3
Published 2022-01-03
Updated 2022-01-13
EPSS 0.43%
Zoho ManageEngine Applications Manager 14 before 14520 allows a remote unauthenticated attacker to disclose OS file names via FailOverHelperServlet.
Max Base Score
5.3
Published 2020-02-06
Updated 2021-07-21
EPSS 0.32%
Zoho ManageEngine Applications Manager before 14600 allows a remote unauthenticated attacker to disclose license related information via WieldFeedServlet servlet.
Max Base Score
5.3
Published 2020-03-13
Updated 2022-03-31
EPSS 0.59%
Zoho ManageEngine Desktop Central 10.0.430 allows HTML injection via a modified Report Name in a New Custom Report.
Max Base Score
5.4
Published 2021-01-06
Updated 2021-07-21
EPSS 0.12%
** DISPUTED ** AjaxDomainServlet in Zoho ManageEngine ServiceDesk Plus 10 allows User Enumeration. NOTE: the vendor's position is that this is intended functionality.
Max Base Score
5.3
Published 2019-08-21
Updated 2019-08-30
EPSS 3.19%
A stored Cross-site scripting (XSS) vulnerability in Zoho ManageEngine Recovery Manager Plus before 5.3 (Build 5350) allows remote authenticated users (with Add New Technician permissions) to inject arbitrary web script or HTML via the loginName field to technicianAction.do.
Max Base Score
5.4
Published 2018-04-02
Updated 2019-02-27
EPSS 87.38%
38 vulnerabilities found
1 2
This web site uses cookies for managing your session and website analytics (Google analytics) purposes as described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!