CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Zohocorp : Security Vulnerabilities (CVSS score between 6 and 6.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2021-40174 352 CSRF 2021-08-29 2021-09-01
6.8
None Remote Medium Not required Partial Partial Partial
Zoho ManageEngine Log360 before Build 5224 allows a CSRF attack for disabling the logon security settings.
2 CVE-2021-40173 352 CSRF 2021-08-29 2021-09-01
6.8
None Remote Medium Not required Partial Partial Partial
Zoho ManageEngine Cloud Security Plus before Build 4117 allows a CSRF attack on the server proxy settings.
3 CVE-2021-40172 352 CSRF 2021-08-29 2021-09-01
6.8
None Remote Medium Not required Partial Partial Partial
Zoho ManageEngine Log360 before Build 5219 allows a CSRF attack on proxy settings.
4 CVE-2021-37741 287 2021-09-21 2021-10-01
6.5
None Remote Low ??? Partial Partial Partial
ManageEngine ADManager Plus before 7111 has Pre-authentication RCE vulnerabilities.
5 CVE-2021-35512 918 2021-10-21 2021-10-28
6.4
None Remote Low Not required Partial Partial None
An SSRF issue was discovered in Zoho ManageEngine Applications Manager build 15200.
6 CVE-2021-20131 434 Exec Code 2021-10-13 2021-10-19
6.5
None Remote Low ??? Partial Partial Partial
ManageEngine ADManager Plus Build 7111 contains a post-authentication remote code execution vulnerability due to improperly validated file uploads in the Personalization interface.
7 CVE-2021-20130 434 Exec Code 2021-10-13 2021-10-19
6.5
None Remote Low ??? Partial Partial Partial
ManageEngine ADManager Plus Build 7111 contains a post-authentication remote code execution vulnerability due to improperly validated file uploads in the PasswordExpiry interface.
8 CVE-2020-35765 89 Sql 2021-02-05 2021-02-17
6.5
None Remote Low ??? Partial Partial Partial
doFilter in com.adventnet.appmanager.filter.UriCollector in Zoho ManageEngine Applications Manager through 14930 allows an authenticated SQL Injection via the resourceid parameter to showresource.do.
9 CVE-2020-35682 863 Bypass 2021-03-13 2021-03-18
6.5
None Remote Low ??? Partial Partial Partial
Zoho ManageEngine ServiceDesk Plus before 11134 allows an Authentication Bypass (only during SAML login).
10 CVE-2020-28050 863 2021-03-05 2021-07-21
6.4
None Remote Low Not required Partial Partial None
Zoho ManageEngine Desktop Central before build 10.0.647 allows a single authentication secret from multiple agents to communicate with the server.
11 CVE-2020-27733 89 Sql 2021-01-19 2021-01-26
6.5
None Remote Low ??? Partial Partial Partial
Zoho ManageEngine Applications Manager before 14 build 14880 allows an authenticated SQL Injection via a crafted Alarmview request.
12 CVE-2020-16267 89 Sql 2020-10-06 2020-10-14
6.5
None Remote Low ??? Partial Partial Partial
Zoho ManageEngine Applications Manager version 14740 and prior allows an authenticated SQL Injection via a crafted jsp request in the RCA module.
13 CVE-2020-15927 89 Sql 2020-10-06 2020-10-14
6.5
None Remote Low ??? Partial Partial Partial
Zoho ManageEngine Applications Manager version 14740 and prior allows an authenticated SQL Injection via a crafted jsp request in the SAP module.
14 CVE-2020-15589 Exec Code 2020-10-02 2020-10-09
6.8
None Remote Medium Not required Partial Partial Partial
A design issue was discovered in GetInternetRequestHandle, InternetSendRequestEx and InternetSendRequestByBitrate in the client side of Zoho ManageEngine Desktop Central 10.0.552.W. By exploiting this issue, an attacker-controlled server can force the client to skip TLS certificate validation, leading to a man-in-the-middle attack against HTTPS and unauthenticated remote code execution.
15 CVE-2020-14008 434 Exec Code 2020-09-04 2020-09-16
6.5
None Remote Low ??? Partial Partial Partial
Zoho ManageEngine Applications Manager 14710 and before allows an authenticated admin user to upload a vulnerable jar in a specific location, which leads to remote code execution.
16 CVE-2020-11531 22 Exec Code Dir. Trav. 2020-05-08 2020-05-18
6.5
None Remote Low ??? Partial Partial Partial
The DataEngine Xnode Server application in Zoho ManageEngine DataSecurity Plus prior to 6.0.1 does not validate the database schema name when handling a DR-SCHEMA-SYNC request. This allows an authenticated attacker to execute code in the context of the product by writing a JSP file to the webroot directory via directory traversal.
17 CVE-2020-9367 427 2021-03-18 2021-03-25
6.9
None Local Medium Not required Complete Complete Complete
The MPS Agent in Zoho ManageEngine Desktop Central MSP build MSP build 10.0.486 is vulnerable to DLL Hijacking: dcinventory.exe and dcconfig.exe try to load CSUNSAPI.dll without supplying the complete path. The issue is aggravated because this DLL is missing from the installation, thus making it possible to hijack the DLL and subsequently inject code, leading to an escalation of privilege to NT AUTHORITY\SYSTEM.
18 CVE-2020-9346 352 CSRF 2020-03-16 2020-03-20
6.8
None Remote Medium Not required Partial Partial Partial
Zoho ManageEngine Password Manager Pro 10.4 and prior has no protection against Cross-site Request Forgery (CSRF) attacks, as demonstrated by changing a user's role.
19 CVE-2019-19650 89 Sql 2019-12-11 2019-12-19
6.5
None Remote Low ??? Partial Partial Partial
Zoho ManageEngine Applications Manager before 13640 allows a remote authenticated SQL injection via the Agent servlet agentid parameter to the Agent.java process function.
20 CVE-2019-19034 78 Exec Code 2020-03-23 2020-05-15
6.5
None Remote Low ??? Partial Partial Partial
Zoho ManageEngine Asset Explorer 6.5 does not validate the System Center Configuration Manager (SCCM) database username when dynamically generating a command to schedule scans for SCCM. This allows an attacker to execute arbitrary commands on the AssetExplorer Server with NT AUTHORITY/SYSTEM privileges.
21 CVE-2019-18411 352 CSRF 2019-11-06 2019-11-08
6.8
None Remote Medium Not required Partial Partial Partial
Zoho ManageEngine ADSelfService Plus 5.x through 5803 has CSRF on the users' profile information page. Users who are attacked with this vulnerability will be forced to modify their enrolled information, such as email and mobile phone, unintentionally. Attackers could use the reset password function and control the system to send the authentication code back to the channel that the attackers own.
22 CVE-2019-12994 918 2019-08-08 2019-08-16
6.5
None Remote Low ??? Partial Partial Partial
Server Side Request Forgery (SSRF) exists in Zoho ManageEngine AssetExplorer version 6.2.0 for the AJaxServlet servlet via a parameter in a URL.
23 CVE-2019-12959 918 2019-08-08 2019-08-16
6.5
None Remote Low ??? Partial Partial Partial
Server Side Request Forgery (SSRF) exists in Zoho ManageEngine AssetExplorer 6.2.0 and before for the ClientUtilServlet servlet via a URL in a parameter.
24 CVE-2019-11361 863 2020-03-19 2020-08-24
6.5
None Remote Low ??? Partial Partial Partial
Zoho ManageEngine Remote Access Plus 10.0.258 does not validate user permissions properly, allowing for privilege escalation and eventually a full application takeover.
25 CVE-2019-10008 384 2019-04-24 2019-04-25
6.5
None Remote Low ??? Partial Partial Partial
Zoho ManageEngine ServiceDesk 9.3 allows session hijacking and privilege escalation because an established guest session is automatically converted into an established administrator session when the guest user enters the administrator username, with an arbitrary incorrect password, in an mc/ login attempt within a different browser tab.
26 CVE-2019-7162 2019-12-31 2020-08-24
6.4
None Remote Low Not required Partial Partial None
An issue was discovered in Zoho ManageEngine ADSelfService Plus 5.6 Build 5607. An exposed service allows an unauthenticated person to retrieve internal information from the system and modify the product installation.
27 CVE-2018-19374 732 +Priv 2019-04-30 2019-10-03
6.9
None Local Medium Not required Complete Complete Complete
Zoho ManageEngine ADManager Plus 6.6 Build 6657 allows local users to gain privileges (after a reboot) by placing a Trojan horse file into the permissive bin directory.
28 CVE-2018-12999 20 2018-06-29 2018-08-20
6.4
None Remote Low Not required None Partial Partial
Incorrect Access Control in AgentTrayIconServlet in Zoho ManageEngine Desktop Central 10.0.255 allows attackers to delete certain files on the web server without login by sending a specially crafted request to the server with a computerName=../ substring to the /agenttrayicon URI.
29 CVE-2018-5342 732 2018-04-18 2019-10-03
6.5
None Remote Low ??? Partial Partial Partial
An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 and 10.0.184: network services (Desktop Central and PostgreSQL) running with a superuser account.
30 CVE-2018-5340 2018-04-18 2019-10-03
6.5
None Remote Low ??? Partial Partial Partial
An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 and 10.0.184: database access using a superuser account (specifically, an account with permission to write to the filesystem via SQL queries).
31 CVE-2017-17552 352 Bypass CSRF 2018-02-07 2018-03-13
6.8
None Remote Medium Not required Partial Partial Partial
/LoadFrame in Zoho ManageEngine AD Manager Plus build 6590 - 6613 allows attackers to conduct URL Redirection attacks via the src parameter, resulting in a bypass of CSRF protection, or potentially masquerading a malicious URL as trusted.
32 CVE-2017-16542 89 Sql 2017-11-05 2018-08-07
6.5
None Remote Low ??? Partial Partial Partial
Zoho ManageEngine Applications Manager 13 before build 13500 allows Post-authentication SQL injection via the name parameter in a manageApplications.do?method=insert request.
33 CVE-2017-11740 20 2019-05-23 2019-05-23
6.8
None Remote Medium Not required Partial Partial Partial
In Zoho ManageEngine Application Manager 13.1 Build 13100, the administrative user has the ability to upload files/binaries that can be executed upon the occurrence of an alarm. An attacker can abuse this functionality by uploading a malicious script that can be executed on the remote system.
34 CVE-2017-11738 89 Sql 2019-05-23 2020-07-27
6.8
None Remote Medium Not required Partial Partial Partial
In Zoho ManageEngine Application Manager prior to 14.6 Build 14660, the 'haid' parameter of the '/auditLogAction.do' module is vulnerable to a Time-based Blind SQL Injection attack.
35 CVE-2017-9362 611 2019-03-25 2019-04-02
6.5
None Remote Low ??? Partial Partial Partial
ManageEngine ServiceDesk Plus before 9312 contains an XML injection at add Configuration items CMDB API.
36 CVE-2016-9491 200 +Info 2018-07-13 2019-10-09
6.8
None Remote Low ??? Complete None None
ManageEngine Applications Manager 12 and 13 before build 13690 allows an authenticated user, who is able to access /register.do page (most likely limited to administrator), to browse the filesystem and read the system files, including Applications Manager configuration, stored private keys, etc. By default Application Manager is running with administrative privileges, therefore it is possible to access every directory on the underlying operating system.
37 CVE-2016-4889 264 2017-04-14 2017-05-13
6.5
None Remote Low ??? Partial Partial Partial
ZOHO ManageEngine ServiceDesk Plus before 9.0 allows remote authenticated guest users to have unspecified impact by leveraging failure to restrict access to unknown functions.
38 CVE-2016-1161 352 CSRF 2017-04-20 2017-04-26
6.0
None Remote Medium ??? Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in ManageEngine Password Manager Pro before 8.5 (Build 8500).
39 CVE-2015-5459 89 Exec Code Sql 2015-07-08 2016-12-07
6.5
None Remote Low ??? Partial Partial Partial
SQL injection vulnerability in the AdvanceSearch.class in AdventNetPassTrix.jar in ManageEngine Password Manager Pro (PMP) before 8.1 Build 8101 allows remote authenticated users to execute arbitrary SQL commands via the ANDOR parameter, as demonstrated by a request to STATE_ID/1425543888647/SQLAdvancedALSearchResult.cc.
40 CVE-2015-2961 352 CSRF 2015-06-09 2016-12-31
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in Zoho NetFlow Analyzer build 10250 and earlier allows remote attackers to hijack the authentication of administrators.
41 CVE-2015-1479 89 1 Exec Code Sql 2015-02-04 2015-02-06
6.5
None Remote Low ??? Partial Partial Partial
SQL injection vulnerability in reports/CreateReportTable.jsp in ZOHO ManageEngine ServiceDesk Plus (SDP) before 9.0 build 9031 allows remote authenticated users to execute arbitrary SQL commands via the site parameter.
42 CVE-2014-9331 352 1 CSRF 2015-02-04 2018-10-09
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in ZOHO ManageEngine Desktop Central before 9 build 90130 allows remote attackers to hijack the authentication of administrators for requests that add an administrator account via an addUser action to STATE_ID/1417736606982/roleMgmt.do.
43 CVE-2014-8498 89 1 Exec Code Sql 2014-11-17 2019-07-16
6.5
None Remote Low ??? Partial Partial Partial
SQL injection vulnerability in BulkEditSearchResult.cc in ManageEngine Password Manager Pro (PMP) and Password Manager Pro Managed Service Providers (MSP) edition before 7.1 build 7105 allows remote authenticated users to execute arbitrary SQL commands via the SEARCH_ALL parameter.
44 CVE-2014-6043 264 1 2014-09-11 2020-03-26
6.5
None Remote Low ??? Partial Partial Partial
ZOHO ManageEngine EventLog Analyzer 9.0 build 9002 and 8.2 build 8020 does not properly restrict access to the database browser, which allows remote authenticated users to obtain access to the database via a direct request to event/runQuery.do. Fixed in Build 10000.
45 CVE-2014-6036 22 Dir. Trav. 2014-12-04 2019-07-15
6.4
None Remote Low Not required None Partial Partial
Directory traversal vulnerability in the multipartRequest servlet in ZOHO ManageEngine OpManager 11.3 and earlier, Social IT Plus 11.0, and IT360 10.3, 10.4, and earlier allows remote attackers or remote authenticated users to delete arbitrary files via a .. (dot dot) in the fileName parameter.
46 CVE-2014-0344 264 2014-03-29 2015-07-24
6.5
None Remote Low ??? Partial Partial Partial
Properties.do in ZOHO ManageEngine OpStor before build 8500 does not properly check privilege levels, which allows remote authenticated users to obtain Admin access by using the name parameter in conjunction with a true value of the edit parameter.
Total number of vulnerabilities : 46   Page : 1 (This Page)
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.