Filtered by vendor Zohocorp
Subscribe
Total
418 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-16924 | 1 Zohocorp | 1 Manageengine Desktop Central | 2019-10-02 | 5.0 MEDIUM | 9.8 CRITICAL |
| Remote Information Disclosure and Escalation of Privileges in ManageEngine Desktop Central MSP 10.0.137 allows attackers to download unencrypted XML files containing all data for configuration policies via a predictable /client-data/<client_id>/collections/##/usermgmt.xml URL, as demonstrated by passwords and Wi-Fi keys. This is fixed in build 100157. | |||||
| CVE-2018-5340 | 1 Zohocorp | 1 Manageengine Desktop Central | 2019-10-02 | 6.5 MEDIUM | 7.2 HIGH |
| An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 and 10.0.184: database access using a superuser account (specifically, an account with permission to write to the filesystem via SQL queries). | |||||
| CVE-2018-5339 | 1 Zohocorp | 1 Manageengine Desktop Central | 2019-10-02 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 and 10.0.184: insufficient enforcement of database query type restrictions. | |||||
| CVE-2019-15045 | 1 Zohocorp | 1 Manageengine Servicedesk Plus | 2019-08-30 | 5.0 MEDIUM | 5.3 MEDIUM |
| ** DISPUTED ** AjaxDomainServlet in Zoho ManageEngine ServiceDesk Plus 10 allows User Enumeration. NOTE: the vendor's position is that this is intended functionality. | |||||
| CVE-2019-15104 | 1 Zohocorp | 1 Manageengine Applications Manager | 2019-08-26 | 9.0 HIGH | 8.8 HIGH |
| An issue was discovered in Zoho ManageEngine OpManager through 12.4x. There is a SQL Injection vulnerability in jsp/NewThresholdConfiguration.jsp via the resourceid parameter. Therefore, a low-authority user can gain the authority of SYSTEM on the server. One can consequently upload a malicious file using the "Execute Program Action(s)" feature. | |||||
| CVE-2019-15105 | 1 Zohocorp | 1 Manageengine Applications Manager | 2019-08-26 | 9.0 HIGH | 8.8 HIGH |
| An issue was discovered in Zoho ManageEngine Application Manager through 14.2. There is a SQL Injection vulnerability in jsp/NewThresholdConfiguration.jsp via the resourceid parameter. Therefore, a low-authority user can gain the authority of SYSTEM on the server. One can consequently upload a malicious file using the "Execute Program Action(s)" feature. | |||||
| CVE-2019-12959 | 1 Zohocorp | 1 Manageengine Assetexplorer | 2019-08-16 | 6.5 MEDIUM | 8.8 HIGH |
| Server Side Request Forgery (SSRF) exists in Zoho ManageEngine AssetExplorer 6.2.0 and before for the ClientUtilServlet servlet via a URL in a parameter. | |||||
| CVE-2019-12994 | 1 Zohocorp | 1 Manageengine Assetexplorer | 2019-08-16 | 6.5 MEDIUM | 9.1 CRITICAL |
| Server Side Request Forgery (SSRF) exists in Zoho ManageEngine AssetExplorer version 6.2.0 for the AJaxServlet servlet via a parameter in a URL. | |||||
| CVE-2019-3905 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2019-07-31 | 7.5 HIGH | 10.0 CRITICAL |
| Zoho ManageEngine ADSelfService Plus 5.x before build 5703 has SSRF. | |||||
| CVE-2014-3997 | 1 Zohocorp | 2 Manageengine It360, Manageengine Password Manager Pro | 2019-07-16 | 7.5 HIGH | N/A |
| SQL injection vulnerability in the MetadataServlet servlet in ManageEngine Password Manager Pro (PMP) and Password Manager Pro Managed Service Providers (MSP) edition 5 through 7 build 7003, IT360 and IT360 Managed Service Providers (MSP) edition before 10.3.3 build 10330, and possibly other ManageEngine products, allows remote attackers or remote authenticated users to execute arbitrary SQL commands via the sv parameter to MetadataServlet.dat. | |||||
| CVE-2014-8498 | 1 Zohocorp | 1 Manageengine Password Manager Pro | 2019-07-16 | 6.5 MEDIUM | N/A |
| SQL injection vulnerability in BulkEditSearchResult.cc in ManageEngine Password Manager Pro (PMP) and Password Manager Pro Managed Service Providers (MSP) edition before 7.1 build 7105 allows remote authenticated users to execute arbitrary SQL commands via the SEARCH_ALL parameter. | |||||
| CVE-2019-12540 | 1 Zohocorp | 1 Manageengine Servicedesk Plus | 2019-07-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Zoho ManageEngine ServiceDesk Plus 10.5. There is XSS via the WorkOrder.do search field. | |||||
| CVE-2014-5445 | 1 Zohocorp | 2 Manageengine It360, Manageengine Netflow Analyzer | 2019-07-15 | 5.0 MEDIUM | N/A |
| Multiple absolute path traversal vulnerabilities in ZOHO ManageEngine Netflow Analyzer 8.6 through 10.2 and IT360 10.3 allow remote attackers or remote authenticated users to read arbitrary files via a full pathname in the schFilePath parameter to the (1) CSVServlet or (2) CReportPDFServlet servlet. | |||||
| CVE-2014-7868 | 1 Zohocorp | 3 Manageengine It360, Manageengine Opmanager, Manageengine Social It Plus | 2019-07-15 | 7.5 HIGH | N/A |
| Multiple SQL injection vulnerabilities in ZOHO ManageEngine OpManager 11.3 and 11.4, IT360 10.3 and 10.4, and Social IT Plus 11.0 allow remote attackers or remote authenticated users to execute arbitrary SQL commands via the (1) OPM_BVNAME parameter in a Delete operation to the APMBVHandler servlet or (2) query parameter in a compare operation to the DataComparisonServlet servlet. | |||||
| CVE-2014-7867 | 1 Zohocorp | 3 Manageengine It360, Manageengine Opmanager, Manageengine Social It Plus | 2019-07-15 | 7.5 HIGH | N/A |
| SQL injection vulnerability in the com.manageengine.opmanager.servlet.UpdateProbeUpgradeStatus servlet in ZOHO ManageEngine OpManager 11.3 and 11.4, IT360 10.3 and 10.4, and Social IT Plus 11.0 allows remote attackers or remote authenticated users to execute arbitrary SQL commands via the probeName parameter. | |||||
| CVE-2014-6036 | 1 Zohocorp | 3 Manageengine It360, Manageengine Opmanager, Manageengine Social It Plus | 2019-07-15 | 6.4 MEDIUM | N/A |
| Directory traversal vulnerability in the multipartRequest servlet in ZOHO ManageEngine OpManager 11.3 and earlier, Social IT Plus 11.0, and IT360 10.3, 10.4, and earlier allows remote attackers or remote authenticated users to delete arbitrary files via a .. (dot dot) in the fileName parameter. | |||||
| CVE-2014-7866 | 1 Zohocorp | 3 Manageengine It360, Manageengine Opmanager, Manageengine Social It Plus | 2019-07-15 | 7.5 HIGH | N/A |
| Multiple directory traversal vulnerabilities in ZOHO ManageEngine OpManager 8 (build 88xx) through 11.4, IT360 10.3 and 10.4, and Social IT Plus 11.0 allow remote attackers or remote authenticated users to write and execute arbitrary files via a .. (dot dot) in the (1) fileName parameter to the MigrateLEEData servlet or (2) zipFileName parameter in a downloadFileFromProbe operation to the MigrateCentralData servlet. | |||||
| CVE-2014-5446 | 1 Zohocorp | 2 Manageengine It360, Manageengine Netflow Analyzer | 2019-07-15 | 5.0 MEDIUM | N/A |
| Directory traversal vulnerability in the DisplayChartPDF servlet in ZOHO ManageEngine Netflow Analyzer 8.6 through 10.2 and IT360 10.3 allows remote attackers and remote authenticated users to read arbitrary files via a .. (dot dot) in the filename parameter. | |||||
| CVE-2019-12196 | 1 Zohocorp | 1 Manageengine Netflow Analyzer | 2019-06-07 | 7.5 HIGH | 9.8 CRITICAL |
| A SQL injection vulnerability in /client/api/json/v2/nfareports/compareReport in Zoho ManageEngine NetFlow Analyzer 12.3 allows attackers to execute arbitrary SQL commands via the DeviceID parameter. | |||||
| CVE-2019-12542 | 1 Zohocorp | 1 Manageengine Servicedesk Plus | 2019-06-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SearchN.do userConfigID parameter. | |||||