Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Zohocorp Subscribe
Total 418 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-31530 1 Zohocorp 1 Manageengine Servicedesk Plus Msp 2021-09-21 5.0 MEDIUM 7.5 HIGH
Zoho ManageEngine ServiceDesk Plus MSP before 10522 is vulnerable to Information Disclosure.
CVE-2021-31813 1 Zohocorp 1 Manageengine Applications Manager 2021-09-21 3.5 LOW 5.4 MEDIUM
Zoho ManageEngine Applications Manager before 15130 is vulnerable to Stored XSS while importing malicious user details (e.g., a crafted user name) from AD.
CVE-2021-37423 1 Zohocorp 1 Manageengine Adselfservice Plus 2021-09-17 7.5 HIGH 9.8 CRITICAL
Zoho ManageEngine ADSelfService Plus 6111 and prior is vulnerable to linked applications takeover.
CVE-2021-37422 1 Zohocorp 1 Manageengine Adselfservice Plus 2021-09-17 7.5 HIGH 9.8 CRITICAL
Zoho ManageEngine ADSelfService Plus 6111 and prior is vulnerable to SQL Injection while linking the databases.
CVE-2021-33055 2 Microsoft, Zohocorp 2 Windows, Manageengine Adselfservice Plus 2021-09-02 10.0 HIGH 9.8 CRITICAL
Zoho ManageEngine ADSelfService Plus through 6102 allows unauthenticated remote code execution in non-English editions.
CVE-2021-37416 1 Zohocorp 1 Manageengine Adselfservice Plus 2021-09-02 4.3 MEDIUM 6.1 MEDIUM
Zoho ManageEngine ADSelfService Plus version 6103 and prior is vulnerable to reflected XSS on the loadframe page.
CVE-2021-40178 1 Zohocorp 1 Manageengine Log360 2021-09-01 4.3 MEDIUM 6.1 MEDIUM
Zoho ManageEngine Log360 before Build 5224 allows stored XSS via the LOGO_PATH key value in the logon settings.
CVE-2021-40175 1 Zohocorp 1 Manageengine Log360 2021-09-01 7.5 HIGH 9.8 CRITICAL
Zoho ManageEngine Log360 before Build 5219 allows unrestricted file upload with resultant remote code execution.
CVE-2021-40173 1 Zohocorp 1 Manageengine Cloud Security Plus 2021-09-01 6.8 MEDIUM 8.8 HIGH
Zoho ManageEngine Cloud Security Plus before Build 4117 allows a CSRF attack on the server proxy settings.
CVE-2021-40174 1 Zohocorp 1 Manageengine Log360 2021-09-01 6.8 MEDIUM 8.8 HIGH
Zoho ManageEngine Log360 before Build 5224 allows a CSRF attack for disabling the logon security settings.
CVE-2021-40177 1 Zohocorp 1 Manageengine Log360 2021-09-01 7.5 HIGH 9.8 CRITICAL
Zoho ManageEngine Log360 before Build 5225 allows remote code execution via BCP file overwrite.
CVE-2021-40176 1 Zohocorp 1 Manageengine Log360 2021-09-01 4.3 MEDIUM 6.1 MEDIUM
Zoho ManageEngine Log360 before Build 5225 allows stored XSS.
CVE-2021-40172 1 Zohocorp 1 Manageengine Log360 2021-09-01 6.8 MEDIUM 8.8 HIGH
Zoho ManageEngine Log360 before Build 5219 allows a CSRF attack on proxy settings.
CVE-2018-12998 1 Zohocorp 5 Firewall Analyzer, Manageengine Netflow Analyzer, Manageengine Opmanager and 2 more 2021-08-31 4.3 MEDIUM 6.1 MEDIUM
A reflected Cross-site scripting (XSS) vulnerability in Zoho ManageEngine Netflow Analyzer before build 123137, Network Configuration Manager before build 123128, OpManager before build 123148, OpUtils before build 123161, and Firewall Analyzer before build 123147 allows remote attackers to inject arbitrary web script or HTML via the parameter 'operation' to /servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet.
CVE-2018-12997 1 Zohocorp 5 Firewall Analyzer, Manageengine Netflow Analyzer, Manageengine Opmanager and 2 more 2021-08-31 5.0 MEDIUM 7.5 HIGH
Incorrect Access Control in FailOverHelperServlet in Zoho ManageEngine Netflow Analyzer before build 123137, Network Configuration Manager before build 123128, OpManager before build 123148, OpUtils before build 123161, and Firewall Analyzer before build 123147 allows attackers to read certain files on the web server without login by sending a specially crafted request to the server with the operation=copyfile&fileName= substring.
CVE-2021-33617 1 Zohocorp 1 Manageengine Password Manager Pro 2021-08-09 5.0 MEDIUM 5.3 MEDIUM
Zoho ManageEngine Password Manager Pro before 11.2 11200 allows login/AjaxResponse.jsp?RequestType=GetUserDomainName&userName= username enumeration, because the response (to a failed login request) is null only when the username is invalid.
CVE-2021-36772 1 Zohocorp 1 Manageengine Admanager Plus 2021-07-28 4.3 MEDIUM 6.1 MEDIUM
Zoho ManageEngine ADManager Plus before 7110 allows stored XSS.
CVE-2021-36771 1 Zohocorp 1 Manageengine Admanager Plus 2021-07-28 4.3 MEDIUM 6.1 MEDIUM
Zoho ManageEngine ADManager Plus before 7110 allows reflected XSS.
CVE-2021-20110 1 Zohocorp 1 Manageengine Assetexplorer 2021-07-28 10.0 HIGH 9.8 CRITICAL
Due to Manage Engine Asset Explorer Agent 1.0.34 not validating HTTPS certificates, an attacker on the network can statically configure their IP address to match the Asset Explorer's Server IP address. This will allow an attacker to send a NEWSCAN request to a listening agent on the network as well as receive the agent's HTTP request verifying its authtoken. In httphandler.cpp, the agent reaching out over HTTP is vulnerable to an Integer Overflow, which can be turned into a Heap Overflow allowing for remote code execution as NT AUTHORITY/SYSTEM on the agent machine. The Integer Overflow occurs when receiving POST response from the Manage Engine server, and the agent calling "HttpQueryInfoW" in order to get the "Content-Length" size from the incoming POST request. This size is taken, but multiplied to a larger amount. If an attacker specifies a Content-Length size of 1073741823 or larger, this integer arithmetic will wrap the value back around to smaller integer, then calls "calloc" with this size to allocate memory. The following API "InternetReadFile" will copy the POST data into this buffer, which will be too small for the contents, and cause heap overflow.
CVE-2021-20109 1 Zohocorp 1 Manageengine Assetexplorer 2021-07-28 5.0 MEDIUM 7.5 HIGH
Due to the Asset Explorer agent not validating HTTPS certificates, an attacker on the network can statically configure their IP address to match the Asset Explorer's Server IP address. This will allow an attacker to send a NEWSCAN request to a listening agent on the network as well as receive the agent's HTTP request verifying its authtoken. In AEAgent.cpp, the agent responding back over HTTP is vulnerable to a Heap Overflow if the POST payload response is too large. The POST payload response is converted to Unicode using vswprintf. This is written to a buffer only 0x2000 bytes big. If POST payload is larger, then heap overflow will occur.