Total
51 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2017-11560 | 1 Zohocorp | 1 Manageengine Opmanager | 2019-05-24 | 3.5 LOW | 5.4 MEDIUM |
An issue was discovered in ZOHO ManageEngine OpManager 12.2. By adding a Google Map to the application, an authenticated user can upload an HTML file. This HTML file is then rendered in various locations of the application. JavaScript inside the uploaded HTML is also interpreted by the application. Thus, an attacker can inject a malicious JavaScript payload inside the HTML file and upload it to the application. | |||||
CVE-2017-11561 | 1 Zohocorp | 1 Manageengine Opmanager | 2019-05-24 | 4.0 MEDIUM | 6.5 MEDIUM |
An issue was discovered in ZOHO ManageEngine OpManager 12.2. An authenticated user can upload any file they want to share in the "Group Chat" or "Alarm" section. This functionality can be abused by a malicious user by uploading a web shell. | |||||
CVE-2018-18980 | 1 Zohocorp | 2 Manageengine Network Configuration Manager, Manageengine Opmanager | 2019-01-30 | 5.0 MEDIUM | 7.5 HIGH |
An XML External Entity injection (XXE) vulnerability exists in Zoho ManageEngine Network Configuration Manager and OpManager before 12.3.214 via the RequestXML parameter in a /devices/ProcessRequest.do GET request. For example, the attacker can trigger the transmission of local files to an arbitrary remote FTP server. | |||||
CVE-2018-17243 | 1 Zohocorp | 1 Manageengine Opmanager | 2018-12-03 | 7.5 HIGH | 9.8 CRITICAL |
Global Search in Zoho ManageEngine OpManager before 12.3 123205 allows SQL Injection. | |||||
CVE-2018-17283 | 1 Zohocorp | 1 Manageengine Opmanager | 2018-12-03 | 5.0 MEDIUM | 7.5 HIGH |
Zoho ManageEngine OpManager before 12.3 Build 123196 does not require authentication for /oputilsServlet requests, as demonstrated by a /oputilsServlet?action=getAPIKey request that can be leveraged against Firewall Analyzer to add an admin user via /api/json/v2/admin/addUser or conduct a SQL Injection attack via the /api/json/device/setManaged name parameter. | |||||
CVE-2014-7864 | 1 Zohocorp | 1 Manageengine Opmanager | 2018-10-09 | 7.5 HIGH | N/A |
Multiple SQL injection vulnerabilities in the FailOverHelperServlet (aka FailServlet) servlet in ZOHO ManageEngine OpManager 8 through 11.5 build 11400 and IT360 10.5 and earlier allow remote attackers and remote authenticated users to execute arbitrary SQL commands via the (1) customerName or (2) serverRole parameter in a standbyUpdateInCentral operation to servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet. | |||||
CVE-2015-9107 | 1 Zohocorp | 1 Manageengine Opmanager | 2017-08-15 | 5.0 MEDIUM | 9.8 CRITICAL |
Zoho ManageEngine OpManager 11 through 12.2 uses a custom encryption algorithm to protect the credential used to access the monitored devices. The implemented algorithm doesn't use a per-system key or even a salt; therefore, it's possible to create a universal decryptor. | |||||
CVE-2015-7766 | 1 Zohocorp | 1 Manageengine Opmanager | 2015-10-09 | 9.0 HIGH | N/A |
PGSQL:SubmitQuery.do in ZOHO ManageEngine OpManager 11.6, 11.5, and earlier allows remote administrators to bypass SQL query restrictions via a comment in the query to api/json/admin/SubmitQuery, as demonstrated by "INSERT/**/INTO." | |||||
CVE-2015-7765 | 1 Zohocorp | 1 Manageengine Opmanager | 2015-10-09 | 9.0 HIGH | N/A |
ZOHO ManageEngine OpManager 11.5 build 11600 and earlier uses a hardcoded password of "plugin" for the IntegrationUser account, which allows remote authenticated users to obtain administrator access by leveraging knowledge of this password. | |||||
CVE-2014-6034 | 1 Zohocorp | 3 Manageengine It360, Manageengine Opmanager, Manageengine Social It Plus | 2014-12-05 | 5.0 MEDIUM | N/A |
Directory traversal vulnerability in the com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector servlet in ZOHO ManageEngine OpManager 8.8 through 11.3, Social IT Plus 11.0, and IT360 10.4 and earlier allows remote attackers or remote authenticated users to write to and execute arbitrary WAR files via a .. (dot dot) in the regionID parameter. | |||||
CVE-2014-6035 | 1 Zohocorp | 1 Manageengine Opmanager | 2014-12-05 | 7.5 HIGH | N/A |
Directory traversal vulnerability in the FileCollector servlet in ZOHO ManageEngine OpManager 11.4, 11.3, and earlier allows remote attackers to write and execute arbitrary files via a .. (dot dot) in the FILENAME parameter. |