CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Zohocorp : Security Vulnerabilities (CVSS score between 5 and 5.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2020-14048 306 2020-06-12 2020-06-17
5.0
None Remote Low Not required None Partial None
Zoho ManageEngine ServiceDesk Plus before 11.1 build 11115 allows remote unauthenticated attackers to change the installation status of deployed agents.
2 CVE-2020-13818 22 Dir. Trav. Bypass 2020-06-04 2020-06-09
5.0
None Remote Low Not required Partial None None
In Zoho ManageEngine OpManager before 125144, when <cachestart> is used, directory traversal validation can be bypassed.
3 CVE-2020-12116 200 +Info 2020-05-07 2020-05-12
5.0
None Remote Low Not required Partial None None
Zoho ManageEngine OpManager Stable build before 124196 and Released build before 125125 allows an unauthenticated attacker to read arbitrary files on the server by sending a crafted request.
4 CVE-2020-11946 200 +Info 2020-04-20 2020-04-28
5.0
None Remote Low Not required Partial None None
Zoho ManageEngine OpManager before 125120 allows an unauthenticated user to retrieve an API key via a servlet call.
5 CVE-2020-11527 200 +Info 2020-04-04 2020-04-06
5.0
None Remote Low Not required Partial None None
In Zoho ManageEngine OpManager before 12.4.181, an unauthenticated remote attacker can send a specially crafted URI to read arbitrary files.
6 CVE-2020-10816 287 2020-10-08 2020-10-15
5.0
None Remote Low Not required None Partial None
Zoho ManageEngine Applications Manager 14780 and before allows a remote unauthenticated attacker to register managed servers via AAMRequestProcessor servlet.
7 CVE-2020-8509 200 +Info 2020-03-30 2020-04-23
5.0
None Remote Low Not required Partial None None
Zoho ManageEngine Desktop Central before 10.0.483 allows unauthenticated users to access PDFGenerationServlet, leading to sensitive information disclosure.
8 CVE-2019-19800 200 +Info 2020-02-06 2020-02-11
5.0
None Remote Low Not required Partial None None
Zoho ManageEngine Applications Manager 14 before 14520 allows a remote unauthenticated attacker to disclose OS file names via FailOverHelperServlet.
9 CVE-2019-19799 200 +Info 2020-03-13 2020-03-19
5.0
None Remote Low Not required Partial None None
Zoho ManageEngine Applications Manager before 14600 allows a remote unauthenticated attacker to disclose license related information via WieldFeedServlet servlet.
10 CVE-2019-18781 601 2019-12-18 2020-01-06
5.8
None Remote Medium Not required Partial Partial None
An open redirect vulnerability was discovered in Zoho ManageEngine ADSelfService Plus 5.x before 5809 that allows attackers to force users who click on a crafted link to be sent to a specified external site.
11 CVE-2019-15046 200 +Info 2019-08-14 2019-08-21
5.0
None Remote Low Not required Partial None None
Zoho ManageEngine ServiceDesk Plus 10 before 10509 allows unauthenticated sensitive information leakage during Fail Over Service (FOS) replication, aka SD-79989.
12 CVE-2019-15045 200 +Info 2019-08-21 2019-08-30
5.0
None Remote Low Not required Partial None None
** DISPUTED ** AjaxDomainServlet in Zoho ManageEngine ServiceDesk Plus 10 allows User Enumeration. NOTE: the vendor's position is that this is intended functionality.
13 CVE-2019-14693 611 2019-08-08 2019-10-09
5.5
None Remote Low ??? Partial None Partial
Zoho ManageEngine AssetExplorer 6.2.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing license XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.
14 CVE-2019-7161 326 2019-03-21 2019-04-01
5.0
None Remote Low Not required Partial None None
An issue was discovered in Zoho ManageEngine ADSelfService Plus 5.x through build 5704. It uses fixed ciphering keys to protect information, giving the capacity for an attacker to decipher any protected data.
15 CVE-2018-19118 787 DoS Overflow 2018-12-13 2020-08-24
5.0
None Remote Low Not required None None Partial
Zoho ManageEngine ADAudit before 5.1 build 5120 allows remote attackers to cause a denial of service (stack-based buffer overflow) via the 'Domain Name' field when adding a new domain.
16 CVE-2018-18980 611 2018-11-06 2019-01-30
5.0
None Remote Low Not required None Partial None
An XML External Entity injection (XXE) vulnerability exists in Zoho ManageEngine Network Configuration Manager and OpManager before 12.3.214 via the RequestXML parameter in a /devices/ProcessRequest.do GET request. For example, the attacker can trigger the transmission of local files to an arbitrary remote FTP server.
17 CVE-2018-17283 89 Sql 2018-09-21 2018-11-09
5.0
None Remote Low Not required Partial None None
Zoho ManageEngine OpManager before 12.3 Build 123196 does not require authentication for /oputilsServlet requests, as demonstrated by a /oputilsServlet?action=getAPIKey request that can be leveraged against Firewall Analyzer to add an admin user via /api/json/v2/admin/addUser or conduct a SQL Injection attack via the /api/json/device/setManaged name parameter.
18 CVE-2018-12997 200 +Info 2018-06-29 2018-08-20
5.0
None Remote Low Not required Partial None None
Incorrect Access Control in FailOverHelperServlet in Zoho ManageEngine Netflow Analyzer before build 123137, Network Configuration Manager before build 123128, OpManager before build 123148, OpUtils before build 123161, and Firewall Analyzer before build 123147 allows attackers to read certain files on the web server without login by sending a specially crafted request to the server with the operation=copyfile&fileName= substring.
19 CVE-2018-11717 532 +Info 2018-07-16 2018-09-19
5.0
None Remote Low Not required Partial None None
An issue was discovered in Zoho ManageEngine Desktop Central before 100251. By leveraging access to a log file, a context-dependent attacker can obtain (depending on the modules configured) the Base64 encoded Password/Username of AD accounts, the cleartext Password/Username and mail settings of the EAS account (an AD account used to send mail), the cleartext password of recovery_password of Android devices, the cleartext password of account "set", the location of devices enrolled in the platform (with UUID and information related to the name of the person at the location), critical information about all enrolled devices such as Serial Number, UUID, Model, Name, and auth_session_token (usable to spoof a terminal identity on the platform), etc.
20 CVE-2018-11716 532 2018-07-16 2018-09-17
5.0
None Remote Low Not required Partial None None
An issue was discovered in Zoho ManageEngine Desktop Central before 100230. There is unauthenticated remote access to all log files of a Desktop Central instance containing critical information (private information such as location of enrolled devices, cleartext passwords, patching level, etc.) via a GET request on port 8022, 8443, or 8444.
21 CVE-2018-7248 2018-05-11 2020-06-30
5.0
None Remote Low Not required Partial None None
An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3 Build 9317. Unauthenticated users are able to validate domain user accounts by sending a request containing the username to an API endpoint. The endpoint will return the user's logon domain if the accounts exists, or 'null' if it does not.
22 CVE-2017-16924 330 Bypass 2018-02-19 2019-10-03
5.0
None Remote Low Not required Partial None None
Remote Information Disclosure and Escalation of Privileges in ManageEngine Desktop Central MSP 10.0.137 allows attackers to download unencrypted XML files containing all data for configuration policies via a predictable /client-data/<client_id>/collections/##/usermgmt.xml URL, as demonstrated by passwords and Wi-Fi keys. This is fixed in build 100157.
23 CVE-2017-11559 89 Sql 2019-05-23 2019-05-24
5.0
None Remote Low Not required Partial None None
An issue was discovered in ZOHO ManageEngine OpManager 12.2. The 'apiKey' parameter of "/api/json/admin/getmailserversettings" and "/api/json/dashboard/gotoverviewlist" is vulnerable to a Blind SQL Injection attack.
24 CVE-2017-11557 200 +Info 2019-05-23 2019-05-24
5.0
None Remote Low Not required Partial None None
An issue was discovered in ZOHO ManageEngine Applications Manager 12.3. It is possible for an unauthenticated user to view the list of domain names and usernames used in a company's network environment via a userconfiguration.do?method=editUser request.
25 CVE-2017-9376 20 File Inclusion 2019-03-25 2019-04-02
5.0
None Remote Low Not required Partial None None
ManageEngine ServiceDesk Plus before 9314 contains a local file inclusion vulnerability in the defModule parameter in DefaultConfigDef.do and AssetDefaultConfigDef.do.
26 CVE-2016-6603 20 Bypass 2017-01-23 2018-10-09
5.0
None Remote Low Not required None Partial None
ZOHO WebNMS Framework 5.2 and 5.2 SP1 allows remote attackers to bypass authentication and impersonate arbitrary users via the UserName HTTP header.
27 CVE-2016-6602 327 2017-01-23 2018-10-09
5.0
None Remote Low Not required Partial None None
ZOHO WebNMS Framework 5.2 and 5.2 SP1 use a weak obfuscation algorithm to store passwords, which allows context-dependent attackers to obtain cleartext passwords by leveraging access to WEB-INF/conf/securitydbData.xml. NOTE: this issue can be combined with CVE-2016-6601 for a remote exploit.
28 CVE-2016-6601 22 Dir. Trav. 2017-01-23 2018-10-09
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability in the file download functionality in ZOHO WebNMS Framework 5.2 and 5.2 SP1 allows remote attackers to read arbitrary files via a .. (dot dot) in the fileName parameter to servlets/FetchFile.
29 CVE-2016-4890 254 +Info 2017-04-14 2017-05-13
5.0
None Remote Low Not required Partial None None
ZOHO ManageEngine ServiceDesk Plus before 9.2 uses an insecure method for generating cookies, which makes it easier for attackers to obtain sensitive password information by leveraging access to a cookie.
30 CVE-2015-9107 310 2017-08-04 2017-08-15
5.0
None Remote Low Not required Partial None None
Zoho ManageEngine OpManager 11 through 12.2 uses a custom encryption algorithm to protect the credential used to access the monitored devices. The implemented algorithm doesn't use a per-system key or even a salt; therefore, it's possible to create a universal decryptor.
31 CVE-2015-7781 275 2017-06-27 2017-06-30
5.0
None Remote Low Not required Partial None None
ManageEngine Firewall Analyzer before 8.0 does not restrict access permissions.
32 CVE-2015-5149 22 Dir. Trav. 2015-06-30 2016-12-07
5.5
None Remote Low ??? None Partial Partial
Directory traversal vulnerability in Zoho ManageEngine SupportCenter Plus 7.90 allows remote authenticated users to write to arbitrary files via a .. (dot dot) in the component parameter in the Request component to workorder/Attachment.jsp.
33 CVE-2015-4418 284 2015-06-09 2016-12-31
5.0
None Remote Low Not required None Partial None
Zoho NetFlow Analyzer build 10250 and earlier does not have an off autocomplete attribute for a password field, which makes it easier for remote attackers to obtain access by leveraging an unattended workstation.
34 CVE-2015-2560 264 2017-08-02 2018-10-09
5.0
None Remote Low Not required Partial None None
Manage Engine Desktop Central 9 before build 90135 allows remote attackers to change passwords of users with the Administrator role via an addOrModifyUser operation to servlets/DCOperationsServlet.
35 CVE-2014-100002 22 1 Dir. Trav. 2015-01-13 2017-09-08
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability in ManageEngine SupportCenter Plus 7.9 before 7917 allows remote attackers to read arbitrary files via a ..%2f (dot dot encoded slash) in the attach parameter to WorkOrder.do in the file attachment for a new ticket.
36 CVE-2014-7863 200 +Info 2020-02-08 2020-02-13
5.0
None Remote Low Not required Partial None None
The FailOverHelperServlet (aka FailServlet) servlet in ZOHO ManageEngine Applications Manager before 11.9 build 11912, OpManager 8 through 11.5 build 11400, and IT360 10.5 and earlier does not properly restrict access, which allows remote attackers and remote authenticated users to (1) read arbitrary files via the fileName parameter in a copyfile operation or (2) obtain sensitive information via a directory listing in a listdirectory operation to servlet/FailOverHelperServlet.
37 CVE-2014-6039 522 2020-01-13 2020-03-26
5.0
None Remote Low Not required Partial None None
ManageEngine EventLog Analyzer version 7 through 9.9 build 9002 has a Credentials Disclosure Vulnerability. Fixed version 10 Build 10000.
38 CVE-2014-6038 200 +Info 2020-01-13 2020-03-26
5.0
None Remote Low Not required Partial None None
Zoho ManageEngine EventLog Analyzer versions 7 through 9.9 build 9002 have a database Information Disclosure Vulnerability. Fixed in EventLog Analyzer 10.0 Build 10000.
39 CVE-2014-6034 22 Dir. Trav. 2014-12-04 2014-12-05
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability in the com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector servlet in ZOHO ManageEngine OpManager 8.8 through 11.3, Social IT Plus 11.0, and IT360 10.4 and earlier allows remote attackers or remote authenticated users to write to and execute arbitrary WAR files via a .. (dot dot) in the regionID parameter.
40 CVE-2014-5446 22 Dir. Trav. 2014-12-04 2019-07-15
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability in the DisplayChartPDF servlet in ZOHO ManageEngine Netflow Analyzer 8.6 through 10.2 and IT360 10.3 allows remote attackers and remote authenticated users to read arbitrary files via a .. (dot dot) in the filename parameter.
41 CVE-2014-5445 22 Dir. Trav. 2014-12-04 2019-07-15
5.0
None Remote Low Not required Partial None None
Multiple absolute path traversal vulnerabilities in ZOHO ManageEngine Netflow Analyzer 8.6 through 10.2 and IT360 10.3 allow remote attackers or remote authenticated users to read arbitrary files via a full pathname in the schFilePath parameter to the (1) CSVServlet or (2) CReportPDFServlet servlet.
42 CVE-2010-3273 20 2011-02-17 2018-10-10
5.0
None Remote Low Not required None Partial None
ZOHO ManageEngine ADSelfService Plus before 4.5 Build 4500 allows remote attackers to reset user passwords, and consequently obtain access to arbitrary user accounts, by providing a user id to accounts/ValidateUser, and then providing a new password to accounts/ResetResult.
Total number of vulnerabilities : 42   Page : 1 (This Page)
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.