CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Zohocorp : Security Vulnerabilities (CVSS score between 5 and 5.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2021-41829 326 2021-09-30 2021-10-05
5.0
None Remote Low Not required Partial None None
Zoho ManageEngine Remote Access Plus before 10.1.2121.1 relies on the application's build number to calculate a certain encryption key.
2 CVE-2021-41828 798 2021-09-30 2021-10-05
5.0
None Remote Low Not required Partial None None
Zoho ManageEngine Remote Access Plus before 10.1.2121.1 has hardcoded credentials associated with resetPWD.xml.
3 CVE-2021-41827 798 2021-09-30 2021-10-05
5.0
None Remote Low Not required Partial None None
Zoho ManageEngine Remote Access Plus before 10.1.2121.1 has hardcoded credentials for read-only access. The credentials are in the source code that corresponds to the DCBackupRestore JAR archive.
4 CVE-2021-37922 22 Dir. Trav. 2021-10-07 2021-10-15
5.0
None Remote Low Not required None Partial None
Zoho ManageEngine ADManager Plus version 7110 and prior is vulnerable to path traversal which allows copying of files from one directory to another.
5 CVE-2021-37420 287 2021-09-21 2021-10-01
5.0
None Remote Low Not required None Partial None
ManageEngine ADSelfService Plus before 6112 is vulnerable to mail spoofing.
6 CVE-2021-37417 20 Bypass 2021-08-30 2021-09-02
5.0
None Remote Low Not required Partial None None
Zoho ManageEngine ADSelfService Plus version 6103 and prior allows CAPTCHA bypass due to improper parameter validation.
7 CVE-2021-37414 287 2021-09-10 2021-09-28
5.0
None Remote Low Not required Partial None None
Zoho ManageEngine DesktopCentral before 10.0.709 allows anyone to get a valid user's APIKEY without authentication.
8 CVE-2021-33617 2021-07-31 2021-08-10
5.0
None Remote Low Not required Partial None None
Zoho ManageEngine Password Manager Pro before 11.2 11200 allows login/AjaxResponse.jsp?RequestType=GetUserDomainName&userName= username enumeration, because the response (to a failed login request) is null only when the username is invalid.
9 CVE-2021-31530 2021-06-29 2021-09-21
5.0
None Remote Low Not required Partial None None
Zoho ManageEngine ServiceDesk Plus MSP before 10522 is vulnerable to Information Disclosure.
10 CVE-2021-31160 2021-06-29 2021-07-02
5.0
None Remote Low Not required Partial None None
Zoho ManageEngine ServiceDesk Plus MSP before 10521 allows an attacker to access internal data.
11 CVE-2021-31159 209 2021-06-16 2021-07-09
5.0
None Remote Low Not required Partial None None
Zoho ManageEngine ServiceDesk Plus MSP before 10519 is vulnerable to a User Enumeration bug due to improper error-message generation in the Forgot Password functionality, aka SDPMSP-15732.
12 CVE-2021-20109 295 Overflow 2021-07-19 2021-07-28
5.0
None Remote Low Not required None Partial None
Due to the Asset Explorer agent not validating HTTPS certificates, an attacker on the network can statically configure their IP address to match the Asset Explorer's Server IP address. This will allow an attacker to send a NEWSCAN request to a listening agent on the network as well as receive the agent's HTTP request verifying its authtoken. In AEAgent.cpp, the agent responding back over HTTP is vulnerable to a Heap Overflow if the POST payload response is too large. The POST payload response is converted to Unicode using vswprintf. This is written to a buffer only 0x2000 bytes big. If POST payload is larger, then heap overflow will occur.
13 CVE-2021-20108 401 DoS Exec Code 2021-07-19 2021-07-28
5.0
None Remote Low Not required None None Partial
Manage Engine Asset Explorer Agent 1.0.34 listens on port 9000 for incoming commands over HTTPS from Manage Engine Server. The HTTPS certificates are not verified which allows any arbitrary user on the network to send commands over port 9000. While these commands may not be executed (due to authtoken validation), the Asset Explorer agent will reach out to the manage engine server for an HTTP request. During this process, AEAgent.cpp allocates 0x66 bytes using "malloc". This memory is never free-ed in the program, causing a memory leak. Additionally, the instruction sent to aeagent (ie: NEWSCAN, DELTASCAN, etc) is converted to a unicode string, but is never freed. These memory leaks allow a remote attacker to exploit a Denial of Service scenario through repetitively sending these commands to an agent and eventually crashing it the agent due to an out-of-memory condition.
14 CVE-2020-14048 306 2020-06-12 2020-06-17
5.0
None Remote Low Not required None Partial None
Zoho ManageEngine ServiceDesk Plus before 11.1 build 11115 allows remote unauthenticated attackers to change the installation status of deployed agents.
15 CVE-2020-13818 22 Dir. Trav. Bypass 2020-06-04 2021-06-22
5.0
None Remote Low Not required Partial None None
In Zoho ManageEngine OpManager before 125144, when <cachestart> is used, directory traversal validation can be bypassed.
16 CVE-2020-12116 200 +Info 2020-05-07 2021-07-21
5.0
None Remote Low Not required Partial None None
Zoho ManageEngine OpManager Stable build before 124196 and Released build before 125125 allows an unauthenticated attacker to read arbitrary files on the server by sending a crafted request.
17 CVE-2020-11946 200 +Info 2020-04-20 2021-06-22
5.0
None Remote Low Not required Partial None None
Zoho ManageEngine OpManager before 125120 allows an unauthenticated user to retrieve an API key via a servlet call.
18 CVE-2020-11527 200 +Info 2020-04-04 2021-07-21
5.0
None Remote Low Not required Partial None None
In Zoho ManageEngine OpManager before 12.4.181, an unauthenticated remote attacker can send a specially crafted URI to read arbitrary files.
19 CVE-2020-10816 287 2020-10-08 2020-10-15
5.0
None Remote Low Not required None Partial None
Zoho ManageEngine Applications Manager 14780 and before allows a remote unauthenticated attacker to register managed servers via AAMRequestProcessor servlet.
20 CVE-2020-8509 200 +Info 2020-03-30 2021-07-21
5.0
None Remote Low Not required Partial None None
Zoho ManageEngine Desktop Central before 10.0.483 allows unauthenticated users to access PDFGenerationServlet, leading to sensitive information disclosure.
21 CVE-2019-19800 200 +Info 2020-02-06 2021-07-21
5.0
None Remote Low Not required Partial None None
Zoho ManageEngine Applications Manager 14 before 14520 allows a remote unauthenticated attacker to disclose OS file names via FailOverHelperServlet.
22 CVE-2019-19799 200 +Info 2020-03-13 2021-07-21
5.0
None Remote Low Not required Partial None None
Zoho ManageEngine Applications Manager before 14600 allows a remote unauthenticated attacker to disclose license related information via WieldFeedServlet servlet.
23 CVE-2019-18781 601 2019-12-18 2020-01-06
5.8
None Remote Medium Not required Partial Partial None
An open redirect vulnerability was discovered in Zoho ManageEngine ADSelfService Plus 5.x before 5809 that allows attackers to force users who click on a crafted link to be sent to a specified external site.
24 CVE-2019-15046 200 +Info 2019-08-14 2021-07-21
5.0
None Remote Low Not required Partial None None
Zoho ManageEngine ServiceDesk Plus 10 before 10509 allows unauthenticated sensitive information leakage during Fail Over Service (FOS) replication, aka SD-79989.
25 CVE-2019-15045 200 +Info 2019-08-21 2019-08-30
5.0
None Remote Low Not required Partial None None
** DISPUTED ** AjaxDomainServlet in Zoho ManageEngine ServiceDesk Plus 10 allows User Enumeration. NOTE: the vendor's position is that this is intended functionality.
26 CVE-2019-14693 611 2019-08-08 2019-10-09
5.5
None Remote Low ??? Partial None Partial
Zoho ManageEngine AssetExplorer 6.2.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing license XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.
27 CVE-2019-7161 326 2019-03-21 2021-07-21
5.0
None Remote Low Not required Partial None None
An issue was discovered in Zoho ManageEngine ADSelfService Plus 5.x through build 5704. It uses fixed ciphering keys to protect information, giving the capacity for an attacker to decipher any protected data.
28 CVE-2018-19118 787 DoS Overflow 2018-12-13 2020-08-24
5.0
None Remote Low Not required None None Partial
Zoho ManageEngine ADAudit before 5.1 build 5120 allows remote attackers to cause a denial of service (stack-based buffer overflow) via the 'Domain Name' field when adding a new domain.
29 CVE-2018-18980 611 2018-11-06 2019-01-30
5.0
None Remote Low Not required None Partial None
An XML External Entity injection (XXE) vulnerability exists in Zoho ManageEngine Network Configuration Manager and OpManager before 12.3.214 via the RequestXML parameter in a /devices/ProcessRequest.do GET request. For example, the attacker can trigger the transmission of local files to an arbitrary remote FTP server.
30 CVE-2018-17283 89 Sql 2018-09-21 2018-11-09
5.0
None Remote Low Not required Partial None None
Zoho ManageEngine OpManager before 12.3 Build 123196 does not require authentication for /oputilsServlet requests, as demonstrated by a /oputilsServlet?action=getAPIKey request that can be leveraged against Firewall Analyzer to add an admin user via /api/json/v2/admin/addUser or conduct a SQL Injection attack via the /api/json/device/setManaged name parameter.
31 CVE-2018-12997 200 +Info 2018-06-29 2021-08-31
5.0
None Remote Low Not required Partial None None
Incorrect Access Control in FailOverHelperServlet in Zoho ManageEngine Netflow Analyzer before build 123137, Network Configuration Manager before build 123128, OpManager before build 123148, OpUtils before build 123161, and Firewall Analyzer before build 123147 allows attackers to read certain files on the web server without login by sending a specially crafted request to the server with the operation=copyfile&fileName= substring.
32 CVE-2018-11717 532 +Info 2018-07-16 2018-09-19
5.0
None Remote Low Not required Partial None None
An issue was discovered in Zoho ManageEngine Desktop Central before 100251. By leveraging access to a log file, a context-dependent attacker can obtain (depending on the modules configured) the Base64 encoded Password/Username of AD accounts, the cleartext Password/Username and mail settings of the EAS account (an AD account used to send mail), the cleartext password of recovery_password of Android devices, the cleartext password of account "set", the location of devices enrolled in the platform (with UUID and information related to the name of the person at the location), critical information about all enrolled devices such as Serial Number, UUID, Model, Name, and auth_session_token (usable to spoof a terminal identity on the platform), etc.
33 CVE-2018-11716 532 2018-07-16 2018-09-17
5.0
None Remote Low Not required Partial None None
An issue was discovered in Zoho ManageEngine Desktop Central before 100230. There is unauthenticated remote access to all log files of a Desktop Central instance containing critical information (private information such as location of enrolled devices, cleartext passwords, patching level, etc.) via a GET request on port 8022, 8443, or 8444.
34 CVE-2018-7248 2018-05-11 2020-06-30
5.0
None Remote Low Not required Partial None None
An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3 Build 9317. Unauthenticated users are able to validate domain user accounts by sending a request containing the username to an API endpoint. The endpoint will return the user's logon domain if the accounts exists, or 'null' if it does not.
35 CVE-2017-16924 330 Bypass 2018-02-19 2019-10-03
5.0
None Remote Low Not required Partial None None
Remote Information Disclosure and Escalation of Privileges in ManageEngine Desktop Central MSP 10.0.137 allows attackers to download unencrypted XML files containing all data for configuration policies via a predictable /client-data/<client_id>/collections/##/usermgmt.xml URL, as demonstrated by passwords and Wi-Fi keys. This is fixed in build 100157.
36 CVE-2017-11559 89 Sql 2019-05-23 2019-05-24
5.0
None Remote Low Not required Partial None None
An issue was discovered in ZOHO ManageEngine OpManager 12.2. The 'apiKey' parameter of "/api/json/admin/getmailserversettings" and "/api/json/dashboard/gotoverviewlist" is vulnerable to a Blind SQL Injection attack.
37 CVE-2017-11557 200 +Info 2019-05-23 2019-05-24
5.0
None Remote Low Not required Partial None None
An issue was discovered in ZOHO ManageEngine Applications Manager 12.3. It is possible for an unauthenticated user to view the list of domain names and usernames used in a company's network environment via a userconfiguration.do?method=editUser request.
38 CVE-2017-9376 20 File Inclusion 2019-03-25 2019-04-02
5.0
None Remote Low Not required Partial None None
ManageEngine ServiceDesk Plus before 9314 contains a local file inclusion vulnerability in the defModule parameter in DefaultConfigDef.do and AssetDefaultConfigDef.do.
39 CVE-2016-6603 20 Bypass 2017-01-23 2018-10-09
5.0
None Remote Low Not required None Partial None
ZOHO WebNMS Framework 5.2 and 5.2 SP1 allows remote attackers to bypass authentication and impersonate arbitrary users via the UserName HTTP header.
40 CVE-2016-6602 327 2017-01-23 2018-10-09
5.0
None Remote Low Not required Partial None None
ZOHO WebNMS Framework 5.2 and 5.2 SP1 use a weak obfuscation algorithm to store passwords, which allows context-dependent attackers to obtain cleartext passwords by leveraging access to WEB-INF/conf/securitydbData.xml. NOTE: this issue can be combined with CVE-2016-6601 for a remote exploit.
41 CVE-2016-6601 22 Dir. Trav. 2017-01-23 2018-10-09
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability in the file download functionality in ZOHO WebNMS Framework 5.2 and 5.2 SP1 allows remote attackers to read arbitrary files via a .. (dot dot) in the fileName parameter to servlets/FetchFile.
42 CVE-2016-4890 254 +Info 2017-04-14 2017-05-13
5.0
None Remote Low Not required Partial None None
ZOHO ManageEngine ServiceDesk Plus before 9.2 uses an insecure method for generating cookies, which makes it easier for attackers to obtain sensitive password information by leveraging access to a cookie.
43 CVE-2015-9107 310 2017-08-04 2017-08-15
5.0
None Remote Low Not required Partial None None
Zoho ManageEngine OpManager 11 through 12.2 uses a custom encryption algorithm to protect the credential used to access the monitored devices. The implemented algorithm doesn't use a per-system key or even a salt; therefore, it's possible to create a universal decryptor.
44 CVE-2015-7781 275 2017-06-27 2017-06-30
5.0
None Remote Low Not required Partial None None
ManageEngine Firewall Analyzer before 8.0 does not restrict access permissions.
45 CVE-2015-5149 22 Dir. Trav. 2015-06-30 2016-12-07
5.5
None Remote Low ??? None Partial Partial
Directory traversal vulnerability in Zoho ManageEngine SupportCenter Plus 7.90 allows remote authenticated users to write to arbitrary files via a .. (dot dot) in the component parameter in the Request component to workorder/Attachment.jsp.
46 CVE-2015-4418 284 2015-06-09 2016-12-31
5.0
None Remote Low Not required None Partial None
Zoho NetFlow Analyzer build 10250 and earlier does not have an off autocomplete attribute for a password field, which makes it easier for remote attackers to obtain access by leveraging an unattended workstation.
47 CVE-2015-2560 264 2017-08-02 2018-10-09
5.0
None Remote Low Not required Partial None None
Manage Engine Desktop Central 9 before build 90135 allows remote attackers to change passwords of users with the Administrator role via an addOrModifyUser operation to servlets/DCOperationsServlet.
48 CVE-2014-100002 22 1 Dir. Trav. 2015-01-13 2017-09-08
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability in ManageEngine SupportCenter Plus 7.9 before 7917 allows remote attackers to read arbitrary files via a ..%2f (dot dot encoded slash) in the attach parameter to WorkOrder.do in the file attachment for a new ticket.
49 CVE-2014-7863 200 +Info 2020-02-08 2020-02-13
5.0
None Remote Low Not required Partial None None
The FailOverHelperServlet (aka FailServlet) servlet in ZOHO ManageEngine Applications Manager before 11.9 build 11912, OpManager 8 through 11.5 build 11400, and IT360 10.5 and earlier does not properly restrict access, which allows remote attackers and remote authenticated users to (1) read arbitrary files via the fileName parameter in a copyfile operation or (2) obtain sensitive information via a directory listing in a listdirectory operation to servlet/FailOverHelperServlet.
50 CVE-2014-6039 522 2020-01-13 2020-03-26
5.0
None Remote Low Not required Partial None None
ManageEngine EventLog Analyzer version 7 through 9.9 build 9002 has a Credentials Disclosure Vulnerability. Fixed version 10 Build 10000.
Total number of vulnerabilities : 55   Page : 1 (This Page)2
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.