CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Zohocorp : Security Vulnerabilities (CVSS score between 7 and 7.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2021-28959 22 Exec Code Dir. Trav. 2021-04-30 2021-05-11
7.5
None Remote Low Not required Partial Partial Partial
Zoho ManageEngine Eventlog Analyzer through 12147 is vulnerable to unauthenticated directory traversal via an entry in a ZIP archive. This leads to remote code execution.
2 CVE-2021-3287 502 Exec Code Bypass 2021-04-22 2021-04-30
7.5
None Remote Low Not required Partial Partial Partial
Zoho ManageEngine OpManager before 12.5.329 allows unauthenticated Remote Code Execution due to a general bypass in the deserialization class.
3 CVE-2020-29658 326 2021-03-05 2021-03-12
7.5
None Remote Low Not required Partial Partial Partial
Zoho ManageEngine Application Control Plus before 100523 has an insecure SSL configuration setting for Nginx, leading to Privilege Escalation.
4 CVE-2020-28653 Exec Code 2021-02-03 2021-02-05
7.5
None Remote Low Not required Partial Partial Partial
Zoho ManageEngine OpManager Stable build before 125203 (and Released build before 125233) allows Remote Code Execution via the Smart Update Manager (SUM) servlet.
5 CVE-2020-27995 89 Exec Code Sql 2020-10-29 2020-11-03
7.5
None Remote Low Not required Partial Partial Partial
SQL Injection in Zoho ManageEngine Applications Manager 14 before 14560 allows an attacker to execute commands on the server via the MyPage.do template_resid parameter.
6 CVE-2020-15588 190 Exec Code Overflow 2020-07-29 2021-04-21
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in the client side of Zoho ManageEngine Desktop Central 10.0.552.W. An attacker-controlled server can trigger an integer overflow in InternetSendRequestEx and InternetSendRequestByBitrate that leads to a heap-based buffer overflow and Remote Code Execution with SYSTEM privileges. This issue will occur only when untrusted communication is initiated with server. In cloud, Agent will always connect with trusted communication.
7 CVE-2020-15533 89 Sql 2020-10-01 2020-10-13
7.5
None Remote Low Not required Partial Partial Partial
In Zoho ManageEngine Application Manager 14.7 Build 14730 (before 14684, and between 14689 and 14750), the AlarmEscalation module is vulnerable to unauthenticated SQL Injection attack.
8 CVE-2020-15394 89 Exec Code Sql 2020-09-25 2020-09-30
7.5
None Remote Low Not required Partial Partial Partial
The REST API in Zoho ManageEngine Applications Manager before build 14740 allows an unauthenticated SQL Injection via a crafted request, leading to Remote Code Execution.
9 CVE-2020-11518 Exec Code 2020-04-04 2020-04-06
7.5
None Remote Low Not required Partial Partial Partial
Zoho ManageEngine ADSelfService Plus before 5815 allows unauthenticated remote code execution.
10 CVE-2020-10541 20 Exec Code 2020-03-13 2020-03-18
7.5
None Remote Low Not required Partial Partial Partial
Zoho ManageEngine OpManager before 12.4.179 allows remote code execution via a specially crafted Mail Server Settings v1 API request. This was fixed in 12.5.108.
11 CVE-2020-9347 74 2020-03-16 2020-03-20
7.5
None Remote Low Not required Partial Partial Partial
** DISPUTED ** Zoho ManageEngine Password Manager Pro through 10.x has a CSV Excel Macro Injection vulnerability via a crafted name that is mishandled by the Export Passwords feature. NOTE: the vendor disputes the significance of this report because they expect CSV risk mitigation to be provided by an external application, and do not plan to add CSV constraints to their own products.
12 CVE-2020-8540 611 2020-03-11 2020-03-13
7.5
None Remote Low Not required Partial Partial Partial
An XML external entity (XXE) vulnerability in Zoho ManageEngine Desktop Central before the 07-Mar-2020 update allows remote unauthenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request.
13 CVE-2019-19649 89 Sql 2019-12-11 2019-12-19
7.5
None Remote Low Not required Partial Partial Partial
Zoho ManageEngine Applications Manager before 13620 allows a remote unauthenticated SQL injection via the SyncEventServlet eventid parameter to the SyncEventServlet.java doGet function.
14 CVE-2019-17602 89 Sql 2019-10-15 2021-05-04
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in Zoho ManageEngine OpManager before 12.4 build 124089. The OPMDeviceDetailsServlet servlet is prone to SQL injection. Depending on the configuration, this vulnerability could be exploited unauthenticated or authenticated.
15 CVE-2019-17421 276 2019-11-21 2019-12-03
7.2
None Local Low Not required Complete Complete Complete
Incorrect file permissions on the packaged Nipper executable file in Zoho ManageEngine OpManager 12.4.072 and Firewall Analyzer 12.4.072 allow local users to elevate privileges to root by overwriting this file with a malicious payload.
16 CVE-2019-15106 306 Exec Code Bypass 2019-08-16 2020-08-24
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in Zoho ManageEngine OpManager in builds before 14310. One can bypass the user password requirement and execute commands on the server. The "username+'@opm' string is used for the password. For example, if the username is admin, the password is [email protected]
17 CVE-2019-12196 89 Exec Code Sql 2019-06-05 2019-06-07
7.5
None Remote Low Not required Partial Partial Partial
A SQL injection vulnerability in /client/api/json/v2/nfareports/compareReport in Zoho ManageEngine NetFlow Analyzer 12.3 allows attackers to execute arbitrary SQL commands via the DeviceID parameter.
18 CVE-2019-12133 427 2019-06-18 2020-08-24
7.2
None Local Low Not required Complete Complete Complete
Multiple Zoho ManageEngine products suffer from local privilege escalation due to improper permissions for the %SYSTEMDRIVE%\ManageEngine directory and its sub-folders. Moreover, the services associated with said products try to execute binaries such as sc.exe from the current directory upon system start. This will effectively allow non-privileged users to escalate privileges to NT AUTHORITY\SYSTEM. This affects Desktop Central 10.0.380, EventLog Analyzer 12.0.2, ServiceDesk Plus 10.0.0, SupportCenter Plus 8.1, O365 Manager Plus 4.0, Mobile Device Manager Plus 9.0.0, Patch Connect Plus 9.0.0, Vulnerability Manager Plus 9.0.0, Patch Manager Plus 9.0.0, OpManager 12.3, NetFlow Analyzer 11.0, OpUtils 11.0, Network Configuration Manager 11.0, FireWall 12.0, Key Manager Plus 5.6, Password Manager Pro 9.9, Analytics Plus 1.0, and Browser Security Plus.
19 CVE-2019-11678 89 Sql 2019-05-02 2019-05-03
7.5
None Remote Low Not required Partial Partial Partial
The "default reports" feature in Zoho ManageEngine Firewall Analyzer before 12.3 Build 123218 is vulnerable to SQL Injection.
20 CVE-2019-11677 611 2019-05-02 2019-05-03
7.5
None Remote Low Not required Partial Partial Partial
The Custom Report import function in Zoho ManageEngine Firewall Analyzer before 12.3 Build 123224 is vulnerable to XML External Entity (XXE) Injection.
21 CVE-2019-8395 22 Dir. Trav. 2019-02-17 2020-08-24
7.5
None Remote Low Not required Partial Partial Partial
An Insecure Direct Object Reference (IDOR) vulnerability exists in Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10007 via an attachment to a request.
22 CVE-2019-3905 918 2019-01-03 2019-07-31
7.5
None Remote Low Not required Partial Partial Partial
Zoho ManageEngine ADSelfService Plus 5.x before build 5703 has SSRF.
23 CVE-2018-20664 611 2019-01-03 2019-05-13
7.5
None Remote Low Not required Partial Partial Partial
Zoho ManageEngine ADSelfService Plus 5.x before build 5701 has XXE via an uploaded product license.
24 CVE-2018-20338 89 Sql 2018-12-21 2021-05-04
7.5
None Remote Low Not required Partial Partial Partial
Zoho ManageEngine OpManager 12.3 before build 123239 allows SQL injection in the Alarms section.
25 CVE-2018-20173 89 Sql 2018-12-17 2021-05-04
7.5
None Remote Low Not required Partial Partial Partial
Zoho ManageEngine OpManager 12.3 before 123238 allows SQL injection via the getGraphData API.
26 CVE-2018-18949 89 Sql 2018-11-05 2021-05-04
7.5
None Remote Low Not required Partial Partial Partial
Zoho ManageEngine OpManager 12.3 before 123222 has SQL Injection via Mail Server settings.
27 CVE-2018-18475 434 2018-10-23 2021-05-04
7.5
None Remote Low Not required Partial Partial Partial
Zoho ManageEngine OpManager before 12.3 build 123214 allows Unrestricted Arbitrary File Upload.
28 CVE-2018-17243 89 Sql 2018-09-20 2018-11-09
7.5
None Remote Low Not required Partial Partial Partial
Global Search in Zoho ManageEngine OpManager before 12.3 123205 allows SQL Injection.
29 CVE-2018-15168 89 Sql 2018-08-08 2018-10-05
7.5
None Remote Low Not required Partial Partial Partial
A SQL Injection vulnerability exists in the Zoho ManageEngine Applications Manager 13 before build 13820 via the resids parameter in a /editDisplaynames.do?method=editDisplaynames GET request.
30 CVE-2018-13412 732 2018-09-12 2021-04-21
7.2
None Local Low Not required Complete Complete Complete
An issue was discovered in the Self Service Portal in Zoho ManageEngine Desktop Central before 10.0.282. A clickable company logo in a window running as SYSTEM can be abused to escalate privileges. In cloud, the issue is fixed in 10.0.470 agent version.
31 CVE-2018-13050 89 Sql 2018-07-02 2018-08-30
7.5
None Remote Low Not required Partial Partial Partial
A SQL Injection vulnerability exists in Zoho ManageEngine Applications Manager 13.x before build 13800 via the j_username parameter in a /j_security_check POST request.
32 CVE-2018-10466 89 Sql 2018-05-29 2018-07-13
7.5
None Remote Low Not required Partial Partial Partial
Zoho ManageEngine ADAudit Plus before 5.0.0 build 5100 allows blind SQL Injection.
33 CVE-2018-5353 290 Exec Code +Priv 2020-09-30 2020-10-15
7.5
None Remote Low Not required Partial Partial Partial
The custom GINA/CP module in Zoho ManageEngine ADSelfService Plus before 5.5 build 5517 allows remote attackers to execute code and escalate privileges via spoofing. It does not authenticate the intended server before opening a browser window. An unauthenticated attacker capable of conducting a spoofing attack can redirect the browser to gain execution in the context of the WinLogon.exe process. If Network Level Authentication is not enforced, the vulnerability can be exploited via RDP. Additionally, if the web server has a misconfigured certificate then no spoofing attack is required
34 CVE-2018-5341 20 2018-04-18 2019-03-05
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 and 10.0.184: a missing server-side check on the file type/extension when uploading and modifying scripts.
35 CVE-2018-5339 306 2018-04-18 2019-10-03
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 and 10.0.184: insufficient enforcement of database query type restrictions.
36 CVE-2018-5338 306 2018-04-18 2019-03-05
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 and 10.0.184: missing authentication/authorization for a database query mechanism.
37 CVE-2018-5337 22 Dir. Trav. 2018-04-18 2019-03-05
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 and 10.0.184: directory traversal in the SCRIPT_NAME field when modifying existing scripts.
38 CVE-2017-16851 89 Sql 2017-11-16 2018-08-07
7.5
None Remote Low Not required Partial Partial Partial
Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /MyPage.do widgetid parameter.
39 CVE-2017-16850 89 Sql 2017-11-16 2018-08-28
7.5
None Remote Low Not required Partial Partial Partial
Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /showresource.do resourceid parameter in a getResourceProfiles action.
40 CVE-2017-16849 89 Sql 2017-11-16 2018-08-07
7.5
None Remote Low Not required Partial Partial Partial
Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /MyPage.do?method=viewDashBoard forpage parameter.
41 CVE-2017-16848 89 Sql 2017-11-16 2017-11-27
7.5
None Remote Low Not required Partial Partial Partial
Zoho ManageEngine Applications Manager 13 allows SQL injection via the /manageConfMons.do groupname parameter.
42 CVE-2017-16847 89 Sql 2017-11-16 2018-08-07
7.5
None Remote Low Not required Partial Partial Partial
Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /showresource.do resourceid parameter in a showPlasmaView action.
43 CVE-2017-16846 89 Sql 2017-11-16 2018-08-07
7.5
None Remote Low Not required Partial Partial Partial
Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /manageApplications.do?method=AddSubGroup haid parameter.
44 CVE-2017-16543 89 Sql 2017-11-05 2018-08-07
7.5
None Remote Low Not required Partial Partial Partial
Zoho ManageEngine Applications Manager 13 before build 13500 allows SQL injection via GraphicalView.do, as demonstrated by a crafted viewProps yCanvas field or viewid parameter.
45 CVE-2017-11346 20 Exec Code 2017-07-17 2017-08-12
7.5
None Remote Low Not required Partial Partial Partial
Zoho ManageEngine Desktop Central before build 100092 allows remote attackers to execute arbitrary code via vectors involving the upload of help desk videos.
46 CVE-2016-6600 22 Dir. Trav. 2017-01-23 2018-10-09
7.5
None Remote Low Not required Partial Partial Partial
Directory traversal vulnerability in the file upload functionality in ZOHO WebNMS Framework 5.2 and 5.2 SP1 allows remote attackers to upload and execute arbitrary JSP files via a .. (dot dot) in the fileName parameter to servlets/FileUploadServlet.
47 CVE-2015-7387 89 Exec Code Sql Bypass 2015-09-28 2020-03-26
7.5
None Remote Low Not required Partial Partial Partial
ZOHO ManageEngine EventLog Analyzer 10.6 build 10060 and earlier allows remote attackers to bypass intended restrictions and execute arbitrary SQL commands via an allowed query followed by a disallowed one in the query parameter to event/runQuery.do, as demonstrated by "SELECT 1;INSERT INTO." Fixed in Build 11200.
48 CVE-2015-2959 284 +Info 2015-06-09 2016-12-31
7.5
None Remote Low Not required Partial Partial Partial
Zoho NetFlow Analyzer build 10250 and earlier does not check for administrative authorization, which allows remote attackers to obtain sensitive information, modify passwords, or remove accounts by leveraging the guest role.
49 CVE-2014-7868 89 Exec Code Sql 2014-12-04 2019-07-15
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in ZOHO ManageEngine OpManager 11.3 and 11.4, IT360 10.3 and 10.4, and Social IT Plus 11.0 allow remote attackers or remote authenticated users to execute arbitrary SQL commands via the (1) OPM_BVNAME parameter in a Delete operation to the APMBVHandler servlet or (2) query parameter in a compare operation to the DataComparisonServlet servlet.
50 CVE-2014-7867 89 Exec Code Sql 2014-12-04 2019-07-15
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the com.manageengine.opmanager.servlet.UpdateProbeUpgradeStatus servlet in ZOHO ManageEngine OpManager 11.3 and 11.4, IT360 10.3 and 10.4, and Social IT Plus 11.0 allows remote attackers or remote authenticated users to execute arbitrary SQL commands via the probeName parameter.
Total number of vulnerabilities : 59   Page : 1 (This Page)2
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.