| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2022-28987 |
|
|
|
2022-05-20 |
2022-06-01 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
ManageEngine ADSelfService Plus v6.1 allows attackers to perform username enumeration via a crafted POST request to /ServletAPI/accounts/login. |
|
2 |
CVE-2022-26777 |
668 |
|
|
2022-04-16 |
2022-04-26 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Zoho ManageEngine Remote Access Plus before 10.1.2137.15 allows guest users to view license details. |
|
3 |
CVE-2022-26653 |
668 |
|
|
2022-04-16 |
2022-04-26 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Zoho ManageEngine Remote Access Plus before 10.1.2137.15 allows guest users to view domain details (such as the username and GUID of an administrator). |
|
4 |
CVE-2022-25245 |
200 |
|
+Info |
2022-04-05 |
2022-06-07 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Zoho ManageEngine ServiceDesk Plus before 13001 allows anyone to know the organisation's default currency name. |
|
5 |
CVE-2022-23779 |
200 |
|
+Info |
2022-03-02 |
2022-03-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Zoho ManageEngine Desktop Central before 10.1.2137.8 exposes the installed server name to anyone. The internal hostname can be discovered by reading HTTP redirect responses. |
|
6 |
CVE-2021-43296 |
918 |
|
|
2021-11-30 |
2022-04-27 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Zoho ManageEngine SupportCenter Plus before 11016 is vulnerable to an SSRF attack in ActionExecutor. |
|
7 |
CVE-2021-41829 |
326 |
|
|
2021-09-30 |
2021-10-05 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Zoho ManageEngine Remote Access Plus before 10.1.2121.1 relies on the application's build number to calculate a certain encryption key. |
|
8 |
CVE-2021-41828 |
798 |
|
|
2021-09-30 |
2021-10-05 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Zoho ManageEngine Remote Access Plus before 10.1.2121.1 has hardcoded credentials associated with resetPWD.xml. |
|
9 |
CVE-2021-41827 |
798 |
|
|
2021-09-30 |
2021-10-05 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Zoho ManageEngine Remote Access Plus before 10.1.2121.1 has hardcoded credentials for read-only access. The credentials are in the source code that corresponds to the DCBackupRestore JAR archive. |
|
10 |
CVE-2021-37922 |
22 |
|
Dir. Trav. |
2021-10-07 |
2021-10-15 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Zoho ManageEngine ADManager Plus version 7110 and prior is vulnerable to path traversal which allows copying of files from one directory to another. |
|
11 |
CVE-2021-37419 |
918 |
|
|
2021-09-21 |
2022-03-18 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Zoho ManageEngine ADSelfService Plus before 6112 is vulnerable to SSRF. |
|
12 |
CVE-2021-37417 |
20 |
|
Bypass |
2021-08-30 |
2021-09-02 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Zoho ManageEngine ADSelfService Plus version 6103 and prior allows CAPTCHA bypass due to improper parameter validation. |
|
13 |
CVE-2021-37414 |
287 |
|
|
2021-09-10 |
2021-12-20 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Zoho ManageEngine DesktopCentral before 10.0.709 allows anyone to get a valid user's APIKEY without authentication. |
|
14 |
CVE-2021-33617 |
|
|
|
2021-07-31 |
2021-08-10 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Zoho ManageEngine Password Manager Pro before 11.2 11200 allows login/AjaxResponse.jsp?RequestType=GetUserDomainName&userName= username enumeration, because the response (to a failed login request) is null only when the username is invalid. |
|
15 |
CVE-2021-31530 |
|
|
|
2021-06-29 |
2021-09-21 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Zoho ManageEngine ServiceDesk Plus MSP before 10522 is vulnerable to Information Disclosure. |
|
16 |
CVE-2021-31160 |
|
|
|
2021-06-29 |
2021-07-02 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Zoho ManageEngine ServiceDesk Plus MSP before 10521 allows an attacker to access internal data. |
|
17 |
CVE-2021-31159 |
209 |
|
|
2021-06-16 |
2021-07-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Zoho ManageEngine ServiceDesk Plus MSP before 10519 is vulnerable to a User Enumeration bug due to improper error-message generation in the Forgot Password functionality, aka SDPMSP-15732. |
|
18 |
CVE-2021-20147 |
203 |
|
|
2022-01-03 |
2022-01-13 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
ManageEngine ADSelfService Plus below build 6116 contains an observable response discrepancy in the UMCP operation of the ChangePasswordAPI. This allows an unauthenticated remote attacker to determine whether a Windows domain user exists. |
|
19 |
CVE-2021-20109 |
295 |
|
Overflow |
2021-07-19 |
2021-07-28 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Due to the Asset Explorer agent not validating HTTPS certificates, an attacker on the network can statically configure their IP address to match the Asset Explorer's Server IP address. This will allow an attacker to send a NEWSCAN request to a listening agent on the network as well as receive the agent's HTTP request verifying its authtoken. In AEAgent.cpp, the agent responding back over HTTP is vulnerable to a Heap Overflow if the POST payload response is too large. The POST payload response is converted to Unicode using vswprintf. This is written to a buffer only 0x2000 bytes big. If POST payload is larger, then heap overflow will occur. |
|
20 |
CVE-2021-20108 |
401 |
|
DoS Exec Code |
2021-07-19 |
2021-07-28 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Manage Engine Asset Explorer Agent 1.0.34 listens on port 9000 for incoming commands over HTTPS from Manage Engine Server. The HTTPS certificates are not verified which allows any arbitrary user on the network to send commands over port 9000. While these commands may not be executed (due to authtoken validation), the Asset Explorer agent will reach out to the manage engine server for an HTTP request. During this process, AEAgent.cpp allocates 0x66 bytes using "malloc". This memory is never free-ed in the program, causing a memory leak. Additionally, the instruction sent to aeagent (ie: NEWSCAN, DELTASCAN, etc) is converted to a unicode string, but is never freed. These memory leaks allow a remote attacker to exploit a Denial of Service scenario through repetitively sending these commands to an agent and eventually crashing it the agent due to an out-of-memory condition. |
|
21 |
CVE-2020-14048 |
306 |
|
|
2020-06-12 |
2020-06-17 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Zoho ManageEngine ServiceDesk Plus before 11.1 build 11115 allows remote unauthenticated attackers to change the installation status of deployed agents. |
|
22 |
CVE-2020-13818 |
22 |
|
Dir. Trav. Bypass |
2020-06-04 |
2021-06-22 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
In Zoho ManageEngine OpManager before 125144, when <cachestart> is used, directory traversal validation can be bypassed. |
|
23 |
CVE-2020-12116 |
200 |
|
+Info |
2020-05-07 |
2021-07-21 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Zoho ManageEngine OpManager Stable build before 124196 and Released build before 125125 allows an unauthenticated attacker to read arbitrary files on the server by sending a crafted request. |
|
24 |
CVE-2020-11946 |
200 |
|
+Info |
2020-04-20 |
2021-06-22 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Zoho ManageEngine OpManager before 125120 allows an unauthenticated user to retrieve an API key via a servlet call. |
|
25 |
CVE-2020-11527 |
200 |
|
+Info |
2020-04-04 |
2021-07-21 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
In Zoho ManageEngine OpManager before 12.4.181, an unauthenticated remote attacker can send a specially crafted URI to read arbitrary files. |
|
26 |
CVE-2020-10816 |
287 |
|
|
2020-10-08 |
2020-10-15 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Zoho ManageEngine Applications Manager 14780 and before allows a remote unauthenticated attacker to register managed servers via AAMRequestProcessor servlet. |
|
27 |
CVE-2020-8509 |
306 |
|
|
2020-03-30 |
2022-04-06 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Zoho ManageEngine Desktop Central before 10.0.483 allows unauthenticated users to access PDFGenerationServlet, leading to sensitive information disclosure. |
|
28 |
CVE-2019-19800 |
200 |
|
+Info |
2020-02-06 |
2021-07-21 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Zoho ManageEngine Applications Manager 14 before 14520 allows a remote unauthenticated attacker to disclose OS file names via FailOverHelperServlet. |
|
29 |
CVE-2019-19799 |
306 |
|
|
2020-03-13 |
2022-03-31 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Zoho ManageEngine Applications Manager before 14600 allows a remote unauthenticated attacker to disclose license related information via WieldFeedServlet servlet. |
|
30 |
CVE-2019-18781 |
601 |
|
|
2019-12-18 |
2020-01-06 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
An open redirect vulnerability was discovered in Zoho ManageEngine ADSelfService Plus 5.x before 5809 that allows attackers to force users who click on a crafted link to be sent to a specified external site. |
|
31 |
CVE-2019-15046 |
287 |
|
+Info |
2019-08-14 |
2022-04-18 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Zoho ManageEngine ServiceDesk Plus 10 before 10509 allows unauthenticated sensitive information leakage during Fail Over Service (FOS) replication, aka SD-79989. |
|
32 |
CVE-2019-15045 |
200 |
|
+Info |
2019-08-21 |
2019-08-30 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
** DISPUTED ** AjaxDomainServlet in Zoho ManageEngine ServiceDesk Plus 10 allows User Enumeration. NOTE: the vendor's position is that this is intended functionality. |
|
33 |
CVE-2019-14693 |
611 |
|
|
2019-08-08 |
2019-10-09 |
5.5 |
None |
Remote |
Low |
??? |
Partial |
None |
Partial |
|
Zoho ManageEngine AssetExplorer 6.2.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing license XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. |
|
34 |
CVE-2019-7161 |
326 |
|
|
2019-03-21 |
2021-07-21 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered in Zoho ManageEngine ADSelfService Plus 5.x through build 5704. It uses fixed ciphering keys to protect information, giving the capacity for an attacker to decipher any protected data. |
|
35 |
CVE-2018-19118 |
787 |
|
DoS Overflow |
2018-12-13 |
2020-08-24 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Zoho ManageEngine ADAudit before 5.1 build 5120 allows remote attackers to cause a denial of service (stack-based buffer overflow) via the 'Domain Name' field when adding a new domain. |
|
36 |
CVE-2018-18980 |
611 |
|
|
2018-11-06 |
2019-01-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
An XML External Entity injection (XXE) vulnerability exists in Zoho ManageEngine Network Configuration Manager and OpManager before 12.3.214 via the RequestXML parameter in a /devices/ProcessRequest.do GET request. For example, the attacker can trigger the transmission of local files to an arbitrary remote FTP server. |
|
37 |
CVE-2018-17283 |
89 |
|
Sql |
2018-09-21 |
2018-11-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Zoho ManageEngine OpManager before 12.3 Build 123196 does not require authentication for /oputilsServlet requests, as demonstrated by a /oputilsServlet?action=getAPIKey request that can be leveraged against Firewall Analyzer to add an admin user via /api/json/v2/admin/addUser or conduct a SQL Injection attack via the /api/json/device/setManaged name parameter. |
|
38 |
CVE-2018-12997 |
200 |
|
+Info |
2018-06-29 |
2021-08-31 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Incorrect Access Control in FailOverHelperServlet in Zoho ManageEngine Netflow Analyzer before build 123137, Network Configuration Manager before build 123128, OpManager before build 123148, OpUtils before build 123161, and Firewall Analyzer before build 123147 allows attackers to read certain files on the web server without login by sending a specially crafted request to the server with the operation=copyfile&fileName= substring. |
|
39 |
CVE-2018-11717 |
532 |
|
+Info |
2018-07-16 |
2018-09-19 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered in Zoho ManageEngine Desktop Central before 100251. By leveraging access to a log file, a context-dependent attacker can obtain (depending on the modules configured) the Base64 encoded Password/Username of AD accounts, the cleartext Password/Username and mail settings of the EAS account (an AD account used to send mail), the cleartext password of recovery_password of Android devices, the cleartext password of account "set", the location of devices enrolled in the platform (with UUID and information related to the name of the person at the location), critical information about all enrolled devices such as Serial Number, UUID, Model, Name, and auth_session_token (usable to spoof a terminal identity on the platform), etc. |
|
40 |
CVE-2018-11716 |
532 |
|
|
2018-07-16 |
2018-09-17 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered in Zoho ManageEngine Desktop Central before 100230. There is unauthenticated remote access to all log files of a Desktop Central instance containing critical information (private information such as location of enrolled devices, cleartext passwords, patching level, etc.) via a GET request on port 8022, 8443, or 8444. |
|
41 |
CVE-2018-7248 |
|
|
|
2018-05-11 |
2020-06-30 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3 Build 9317. Unauthenticated users are able to validate domain user accounts by sending a request containing the username to an API endpoint. The endpoint will return the user's logon domain if the accounts exists, or 'null' if it does not. |
|
42 |
CVE-2017-16924 |
330 |
|
Bypass |
2018-02-19 |
2019-10-03 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Remote Information Disclosure and Escalation of Privileges in ManageEngine Desktop Central MSP 10.0.137 allows attackers to download unencrypted XML files containing all data for configuration policies via a predictable /client-data/<client_id>/collections/##/usermgmt.xml URL, as demonstrated by passwords and Wi-Fi keys. This is fixed in build 100157. |
|
43 |
CVE-2017-11559 |
89 |
|
Sql |
2019-05-23 |
2019-05-24 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered in ZOHO ManageEngine OpManager 12.2. The 'apiKey' parameter of "/api/json/admin/getmailserversettings" and "/api/json/dashboard/gotoverviewlist" is vulnerable to a Blind SQL Injection attack. |
|
44 |
CVE-2017-11557 |
200 |
|
+Info |
2019-05-23 |
2019-05-24 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered in ZOHO ManageEngine Applications Manager 12.3. It is possible for an unauthenticated user to view the list of domain names and usernames used in a company's network environment via a userconfiguration.do?method=editUser request. |
|
45 |
CVE-2017-9376 |
20 |
|
File Inclusion |
2019-03-25 |
2019-04-02 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
ManageEngine ServiceDesk Plus before 9314 contains a local file inclusion vulnerability in the defModule parameter in DefaultConfigDef.do and AssetDefaultConfigDef.do. |
|
46 |
CVE-2016-6603 |
20 |
|
Bypass |
2017-01-23 |
2018-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
ZOHO WebNMS Framework 5.2 and 5.2 SP1 allows remote attackers to bypass authentication and impersonate arbitrary users via the UserName HTTP header. |
|
47 |
CVE-2016-6602 |
327 |
|
|
2017-01-23 |
2018-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
ZOHO WebNMS Framework 5.2 and 5.2 SP1 use a weak obfuscation algorithm to store passwords, which allows context-dependent attackers to obtain cleartext passwords by leveraging access to WEB-INF/conf/securitydbData.xml. NOTE: this issue can be combined with CVE-2016-6601 for a remote exploit. |
|
48 |
CVE-2016-6601 |
22 |
|
Dir. Trav. |
2017-01-23 |
2018-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Directory traversal vulnerability in the file download functionality in ZOHO WebNMS Framework 5.2 and 5.2 SP1 allows remote attackers to read arbitrary files via a .. (dot dot) in the fileName parameter to servlets/FetchFile. |
|
49 |
CVE-2016-4890 |
254 |
|
+Info |
2017-04-14 |
2017-05-13 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
ZOHO ManageEngine ServiceDesk Plus before 9.2 uses an insecure method for generating cookies, which makes it easier for attackers to obtain sensitive password information by leveraging access to a cookie. |
|
50 |
CVE-2015-9107 |
310 |
|
|
2017-08-04 |
2017-08-15 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Zoho ManageEngine OpManager 11 through 12.2 uses a custom encryption algorithm to protect the credential used to access the monitored devices. The implemented algorithm doesn't use a per-system key or even a salt; therefore, it's possible to create a universal decryptor. |
