Zohocorp : Security Vulnerabilities CVSS score between 6 and 6.99
Zoho ManageEngine Applications Manager through 16530 allows reflected XSS while logged in.
Max Base Score
6.1
Published
2023-08-10
Updated
2023-08-15
EPSS
0.52%
Zoho ManageEngine ADManager Plus through 7201 allow authenticated users to take over another user's account via sensitive information disclosure.
Max Base Score
6.5
Published
2023-08-04
Updated
2023-08-09
EPSS
0.05%
ManageEngine ADSelfService Plus GINA Client Insufficient Verification of Data Authenticity Authentication Bypass Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of ManageEngine ADSelfService Plus. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the Password Reset Portal used by the GINA client. The issue results from the lack of proper authentication of data received via HTTP. An attacker can leverage this vulnerability to bypass authentication and execute code in the context of SYSTEM. Was ZDI-CAN-17009.
Max Base Score
6.8
Published
2023-09-06
Updated
2023-09-11
EPSS
0.05%
Zoho ManageEngine ADManager Plus version 7182 and prior disclosed the default passwords for the account restoration of unauthorized domains to the authenticated users.
Max Base Score
6.5
Published
2023-08-17
Updated
2023-08-23
EPSS
0.07%
Zoho ManageEngine Applications Manager before 16400 allows proxy.html DOM XSS.
Max Base Score
6.1
Published
2023-04-26
Updated
2023-06-26
EPSS
1.08%
Stored Cross site scripting (XSS) vulnerability in Zoho ManageEngine Applications Manager through 16340 allows an unauthenticated user to inject malicious javascript on the incorrect login details page.
Max Base Score
6.1
Published
2023-04-11
Updated
2023-04-14
EPSS
0.23%
Zoho ManageEngine Applications Manager through 16320 allows the admin user to conduct an XXE attack.
Max Base Score
6.5
Published
2023-04-11
Updated
2023-04-14
EPSS
0.13%
ManageEngine ServiceDesk Plus through 14104, ServiceDesk Plus MSP through 14000, Support Center Plus through 14000, and Asset Explorer through 6987 allow privilege escalation via query reports.
Max Base Score
6.5
Published
2023-03-06
Updated
2023-03-13
EPSS
0.17%
Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via the comment field when changing the credentials in the Assets.
Max Base Score
6.1
Published
2023-02-01
Updated
2023-02-22
EPSS
0.67%
Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 13 via the comment field when adding a new status comment.
Max Base Score
6.1
Published
2023-02-01
Updated
2023-02-22
EPSS
0.67%
Cross Site Scripting (XSS) vulnerability in Zoho Asset Explorer 6.9 via the credential name when creating a new Assets Workstation.
Max Base Score
6.1
Published
2023-02-01
Updated
2023-02-08
EPSS
1.33%
Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via embedding videos in the language component.
Max Base Score
6.1
Published
2023-02-01
Updated
2023-02-14
EPSS
0.67%
Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via PO in the purchase component.
Max Base Score
6.1
Published
2023-02-01
Updated
2023-02-14
EPSS
0.67%
A CRLF injection vulnerability has been found in ManageEngine Desktop Central affecting version 9.1.0. This vulnerability could allow a remote attacker to inject arbitrary HTTP headers and perform HTTP response splitting attacks via the fileName parameter in /STATE_ID/1613157927228/InvSWMetering.pdf.
Max Base Score
6.1
Published
2023-11-03
Updated
2023-11-13
EPSS
0.16%
A CRLF injection vulnerability has been found in ManageEngine Desktop Central affecting version 9.1.0. This vulnerability could allow a remote attacker to inject arbitrary HTTP headers and perform HTTP response splitting attacks via the fileName parameter in /STATE_ID/1613157927228/InvSWMetering.csv.
Max Base Score
6.1
Published
2023-11-03
Updated
2023-11-13
EPSS
0.16%
Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulnerable to a validation bypass that allows users to access sensitive data via the report module.
Max Base Score
6.5
Published
2022-11-23
Updated
2022-11-29
EPSS
0.06%
Zoho ManageEngine ADSelfService Plus before 6121 allows XSS via the welcome name attribute to the Reset Password, Unlock Account, or User Must Change Password screen.
Max Base Score
6.1
Published
2022-04-07
Updated
2022-10-06
EPSS
0.16%
An issue was discovered in Zoho ManageEngine Key Manager Plus before 6200. A service exposed by the application allows a user, with the level Operator, to access stored SSL certificates and associated key pairs during export.
Max Base Score
6.5
Published
2022-03-02
Updated
2022-03-09
EPSS
0.08%
Zoho ManageEngine Desktop Central before 10.1.2137.10 allows an authenticated user to change any user's login password.
Max Base Score
6.5
Published
2022-01-28
Updated
2022-02-02
EPSS
0.76%
Zoho ManageEngine Desktop Central before 10.0.662 allows authenticated users to obtain sensitive information from the database by visiting the Reports page.
Max Base Score
6.5
Published
2022-01-10
Updated
2022-01-13
EPSS
0.08%
Zoho ManageEngine SupportCenter Plus before 11016 is vulnerable to Reflected XSS in the Accounts module.
Max Base Score
6.1
Published
2021-11-30
Updated
2022-04-27
EPSS
0.12%
Zoho ManageEngine SupportCenter Plus before 11016 is vulnerable to Reflected XSS in the Products module.
Max Base Score
6.1
Published
2021-11-30
Updated
2022-04-27
EPSS
0.12%
Zoho ManageEngine Log360 before Build 5224 allows stored XSS via the LOGO_PATH key value in the logon settings.
Max Base Score
6.1
Published
2021-08-29
Updated
2021-09-01
EPSS
0.11%
Zoho ManageEngine Log360 before Build 5225 allows stored XSS.
Max Base Score
6.1
Published
2021-08-29
Updated
2021-09-01
EPSS
0.11%
Zoho ManageEngine ADSelfService Plus before 6112 is vulnerable to mail spoofing.
Max Base Score
6.5
Published
2021-09-21
Updated
2022-07-12
EPSS
0.13%