Filtered by vendor Zohocorp
Subscribe
Total
418 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2020-9367 | 1 Zohocorp | 1 Manageengine Desktop Central | 2021-03-25 | 6.9 MEDIUM | 7.8 HIGH |
The MPS Agent in Zoho ManageEngine Desktop Central MSP build MSP build 10.0.486 is vulnerable to DLL Hijacking: dcinventory.exe and dcconfig.exe try to load CSUNSAPI.dll without supplying the complete path. The issue is aggravated because this DLL is missing from the installation, thus making it possible to hijack the DLL and subsequently inject code, leading to an escalation of privilege to NT AUTHORITY\SYSTEM. | |||||
CVE-2020-35682 | 1 Zohocorp | 1 Manageengine Servicedesk Plus | 2021-03-18 | 6.5 MEDIUM | 8.8 HIGH |
Zoho ManageEngine ServiceDesk Plus before 11134 allows an Authentication Bypass (only during SAML login). | |||||
CVE-2020-35594 | 1 Zohocorp | 1 Manageengine Admanager Plus | 2021-03-11 | 4.3 MEDIUM | 6.1 MEDIUM |
Zoho ManageEngine ADManager Plus before 7066 allows XSS. | |||||
CVE-2020-35765 | 1 Zohocorp | 1 Manageengine Applications Manager | 2021-02-17 | 6.5 MEDIUM | 8.8 HIGH |
doFilter in com.adventnet.appmanager.filter.UriCollector in Zoho ManageEngine Applications Manager through 14930 allows an authenticated SQL Injection via the resourceid parameter to showresource.do. | |||||
CVE-2019-12539 | 1 Zohocorp | 1 Manageengine Servicedesk Plus | 2021-01-13 | 4.3 MEDIUM | 6.1 MEDIUM |
An issue was discovered in the Purchase component of Zoho ManageEngine ServiceDesk Plus. There is XSS via the SearchN.do search field, a different vulnerability than CVE-2019-12189. | |||||
CVE-2020-27995 | 1 Zohocorp | 1 Manageengine Applications Manager | 2020-11-03 | 7.5 HIGH | 9.8 CRITICAL |
SQL Injection in Zoho ManageEngine Applications Manager 14 before 14560 allows an attacker to execute commands on the server via the MyPage.do template_resid parameter. | |||||
CVE-2020-10816 | 1 Zohocorp | 1 Manageengine Applications Manager | 2020-10-15 | 5.0 MEDIUM | 7.5 HIGH |
Zoho ManageEngine Applications Manager 14780 and before allows a remote unauthenticated attacker to register managed servers via AAMRequestProcessor servlet. | |||||
CVE-2018-5353 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2020-10-15 | 7.5 HIGH | 9.8 CRITICAL |
The custom GINA/CP module in Zoho ManageEngine ADSelfService Plus before 5.5 build 5517 allows remote attackers to execute code and escalate privileges via spoofing. It does not authenticate the intended server before opening a browser window. An unauthenticated attacker capable of conducting a spoofing attack can redirect the browser to gain execution in the context of the WinLogon.exe process. If Network Level Authentication is not enforced, the vulnerability can be exploited via RDP. Additionally, if the web server has a misconfigured certificate then no spoofing attack is required | |||||
CVE-2020-15927 | 1 Zohocorp | 1 Manageengine Applications Manager | 2020-10-13 | 6.5 MEDIUM | 8.8 HIGH |
Zoho ManageEngine Applications Manager version 14740 and prior allows an authenticated SQL Injection via a crafted jsp request in the SAP module. | |||||
CVE-2020-16267 | 1 Zohocorp | 1 Manageengine Applications Manager | 2020-10-13 | 6.5 MEDIUM | 8.8 HIGH |
Zoho ManageEngine Applications Manager version 14740 and prior allows an authenticated SQL Injection via a crafted jsp request in the RCA module. | |||||
CVE-2020-15533 | 1 Zohocorp | 1 Manageengine Applications Manager | 2020-10-13 | 7.5 HIGH | 9.8 CRITICAL |
In Zoho ManageEngine Application Manager 14.7 Build 14730 (before 14684, and between 14689 and 14750), the AlarmEscalation module is vulnerable to unauthenticated SQL Injection attack. | |||||
CVE-2017-14123 | 1 Zohocorp | 1 Manageengine Firewall Analyzer | 2020-10-01 | 9.0 HIGH | 8.8 HIGH |
Zoho ManageEngine Firewall Analyzer 12200 has an unrestricted File Upload vulnerability in the "Group Chat" section. Any user can upload files with any extensions. By uploading a PHP file to the server, an attacker can cause it to execute in the server context, as demonstrated by /itplus/FileStorage/302/shell.jsp. | |||||
CVE-2020-15521 | 1 Zohocorp | 1 Manageengine Applications Manager | 2020-09-30 | 4.3 MEDIUM | 6.1 MEDIUM |
Zoho ManageEngine Applications Manager before 14 build 14730 has no protection against jsp/header.jsp Cross-site Scripting (XSS) . | |||||
CVE-2020-15394 | 1 Zohocorp | 1 Manageengine Applications Manager | 2020-09-30 | 7.5 HIGH | 9.8 CRITICAL |
The REST API in Zoho ManageEngine Applications Manager before build 14740 allows an unauthenticated SQL Injection via a crafted request, leading to Remote Code Execution. | |||||
CVE-2018-16364 | 1 Zohocorp | 1 Manageengine Applications Manager | 2020-09-29 | 9.3 HIGH | 8.1 HIGH |
A serialization vulnerability in Zoho ManageEngine Applications Manager before build 13740 allows for remote code execution on Windows via a payload on an SMB share. | |||||
CVE-2020-14008 | 1 Zohocorp | 1 Manageengine Applications Manager | 2020-09-16 | 6.5 MEDIUM | 7.2 HIGH |
Zoho ManageEngine Applications Manager 14710 and before allows an authenticated admin user to upload a vulnerable jar in a specific location, which leads to remote code execution. | |||||
CVE-2020-24786 | 1 Zohocorp | 11 Manageengine Ad360, Manageengine Adaudit Plus, Manageengine Admanager Plus and 8 more | 2020-09-10 | 10.0 HIGH | 9.8 CRITICAL |
An issue was discovered in Zoho ManageEngine Exchange Reporter Plus before build number 5510, AD360 before build number 4228, ADSelfService Plus before build number 5817, DataSecurity Plus before build number 6033, RecoverManager Plus before build number 6017, EventLog Analyzer before build number 12136, ADAudit Plus before build number 6052, O365 Manager Plus before build number 4334, Cloud Security Plus before build number 4110, ADManager Plus before build number 7055, and Log360 before build number 5166. The remotely accessible Java servlet com.manageengine.ads.fw.servlet.UpdateProductDetails is prone to an authentication bypass. System integration properties can be modified and lead to full ManageEngine suite compromise. | |||||
CVE-2019-15106 | 1 Zohocorp | 1 Manageengine Opmanager | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
An issue was discovered in Zoho ManageEngine OpManager in builds before 14310. One can bypass the user password requirement and execute commands on the server. The "username+'@opm' string is used for the password. For example, if the username is admin, the password is admin@opm. | |||||
CVE-2019-12133 | 1 Zohocorp | 18 Manageengine Analytics Plus, Manageengine Browser Security Plus, Manageengine Desktop Central and 15 more | 2020-08-24 | 7.2 HIGH | 7.8 HIGH |
Multiple Zoho ManageEngine products suffer from local privilege escalation due to improper permissions for the %SYSTEMDRIVE%\ManageEngine directory and its sub-folders. Moreover, the services associated with said products try to execute binaries such as sc.exe from the current directory upon system start. This will effectively allow non-privileged users to escalate privileges to NT AUTHORITY\SYSTEM. This affects Desktop Central 10.0.380, EventLog Analyzer 12.0.2, ServiceDesk Plus 10.0.0, SupportCenter Plus 8.1, O365 Manager Plus 4.0, Mobile Device Manager Plus 9.0.0, Patch Connect Plus 9.0.0, Vulnerability Manager Plus 9.0.0, Patch Manager Plus 9.0.0, OpManager 12.3, NetFlow Analyzer 11.0, OpUtils 11.0, Network Configuration Manager 11.0, FireWall 12.0, Key Manager Plus 5.6, Password Manager Pro 9.9, Analytics Plus 1.0, and Browser Security Plus. | |||||
CVE-2018-10803 | 1 Zohocorp | 1 Manageengine Netflow Analyzer | 2020-08-24 | 4.3 MEDIUM | 6.1 MEDIUM |
Cross-site scripting (XSS) vulnerability in the add credentials functionality in Zoho ManageEngine NetFlow Analyzer v12.3 before 12.3.125 (build 123125) allows remote attackers to inject arbitrary web script or HTML via a crafted description value. This can be exploited through CSRF. |