CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Zohocorp : Security Vulnerabilities (Cross Site Scripting (XSS))

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2021-43295 79 XSS 2021-11-30 2021-12-02
4.3
None Remote Medium Not required None Partial None
Zoho ManageEngine SupportCenter Plus before 11016 is vulnerable to Reflected XSS in the Accounts module.
2 CVE-2021-43294 79 XSS 2021-11-30 2021-12-02
4.3
None Remote Medium Not required None Partial None
Zoho ManageEngine SupportCenter Plus before 11016 is vulnerable to Reflected XSS in the Products module.
3 CVE-2021-40178 79 XSS 2021-08-29 2021-09-01
4.3
None Remote Medium Not required None Partial None
Zoho ManageEngine Log360 before Build 5224 allows stored XSS via the LOGO_PATH key value in the logon settings.
4 CVE-2021-40176 79 XSS 2021-08-29 2021-09-01
4.3
None Remote Medium Not required None Partial None
Zoho ManageEngine Log360 before Build 5225 allows stored XSS.
5 CVE-2021-37416 79 XSS 2021-08-30 2021-09-02
4.3
None Remote Medium Not required None Partial None
Zoho ManageEngine ADSelfService Plus version 6103 and prior is vulnerable to reflected XSS on the loadframe page.
6 CVE-2021-36772 79 XSS 2021-07-17 2021-07-28
4.3
None Remote Medium Not required None Partial None
Zoho ManageEngine ADManager Plus before 7110 allows stored XSS.
7 CVE-2021-36771 79 XSS 2021-07-17 2021-07-28
4.3
None Remote Medium Not required None Partial None
Zoho ManageEngine ADManager Plus before 7110 allows reflected XSS.
8 CVE-2021-33849 79 Exec Code XSS 2021-10-05 2021-10-14
3.5
None Remote Medium ??? None Partial None
A Cross-Site Scripting (XSS) attack can cause arbitrary code (JavaScript) to run in a user’s browser while the browser is connected to a trusted website. The attack targets your application's users and not the application itself while using your application as the attack's vehicle. The XSS payload executes whenever the user changes the form values or deletes a created form in Zoho CRM Lead Magnet Version 1.7.2.4.
9 CVE-2021-31813 79 XSS 2021-07-01 2021-09-21
3.5
None Remote Medium ??? None Partial None
Zoho ManageEngine Applications Manager before 15130 is vulnerable to Stored XSS while importing malicious user details (e.g., a crafted user name) from AD.
10 CVE-2021-28382 79 XSS 2021-06-07 2021-06-14
3.5
None Remote Medium ??? None Partial None
Zoho ManageEngine Key Manager Plus before 6001 allows Stored XSS on the user-management page while importing malicious user details from AD.
11 CVE-2021-27956 79 XSS 2021-05-20 2021-05-26
4.3
None Remote Medium Not required None Partial None
Zoho ManageEngine ADSelfService Plus before 6104 allows stored XSS on the /webclient/index.html#/directory-search user search page via the e-mail address field.
12 CVE-2021-27214 79 XSS 2021-02-19 2021-02-26
4.3
None Remote Medium Not required None Partial None
A Server-side request forgery (SSRF) vulnerability in the ProductConfig servlet in Zoho ManageEngine ADSelfService Plus through 6013 allows a remote unauthenticated attacker to perform blind HTTP requests or perform a Cross-site scripting (XSS) attack against the administrative interface via an HTTP request, a different vulnerability than CVE-2019-3905.
13 CVE-2021-20080 79 XSS 2021-04-09 2021-04-19
4.3
None Remote Medium Not required None Partial None
Insufficient output sanitization in ManageEngine ServiceDesk Plus before version 11200 and ManageEngine AssetExplorer before version 6800 allows a remote, unauthenticated attacker to conduct persistent cross-site scripting (XSS) attacks by uploading a crafted XML asset file.
14 CVE-2020-35594 79 XSS 2021-03-05 2021-03-11
4.3
None Remote Medium Not required None Partial None
Zoho ManageEngine ADManager Plus before 7066 allows XSS.
15 CVE-2020-15521 79 XSS 2020-09-25 2020-09-30
4.3
None Remote Medium Not required None Partial None
Zoho ManageEngine Applications Manager before 14 build 14730 has no protection against jsp/header.jsp Cross-site Scripting (XSS) .
16 CVE-2020-6843 79 XSS 2020-01-23 2020-01-27
3.5
None Remote Medium ??? None Partial None
Zoho ManageEngine ServiceDesk Plus 11.0 Build 11007 allows XSS. This issue was fixed in version 11.0 Build 11010, SD-83959.
17 CVE-2019-15510 79 XSS 2020-03-23 2020-08-24
4.3
None Remote Medium Not required None Partial None
ManageEngine_DesktopCentral.exe in Zoho ManageEngine Desktop Central 10 allows HTML injection on the user administration page via the description of a role.
18 CVE-2019-15083 79 Exec Code XSS 2020-05-14 2020-05-19
4.3
None Remote Medium Not required None Partial None
Default installations of Zoho ManageEngine ServiceDesk Plus 10.0 before 10500 are vulnerable to XSS injected by a workstation local administrator. Using the installed program names of the computer as a vector, the local administrator can execute code on the Manage Engine ServiceDesk administrator side. At "Asset Home > Server > <workstation> > software" the administrator of ManageEngine can control what software is installed on the workstation. This table shows all the installed program names in the Software column. In this field, a remote attacker can inject malicious code in order to execute it when the ManageEngine administrator visualizes this page.
19 CVE-2019-12597 79 XSS 2019-07-11 2019-07-25
4.3
None Remote Medium Not required None Partial None
An issue was discovered in Zoho ManageEngine AssetExplorer. There is XSS via ResourcesAttachments.jsp with the parameter pageName.
20 CVE-2019-12596 79 XSS 2019-07-11 2019-07-25
4.3
None Remote Medium Not required None Partial None
An issue was discovered in Zoho ManageEngine AssetExplorer. There is XSS via SoftwareListView.do with the parameter swType or swComplianceType.
21 CVE-2019-12595 79 XSS 2019-07-11 2019-07-25
4.3
None Remote Medium Not required None Partial None
An issue was discovered in Zoho ManageEngine AssetExplorer. There is XSS via the RCSettings.do rdsName parameter.
22 CVE-2019-12543 79 XSS 2019-06-05 2019-06-06
4.3
None Remote Medium Not required None Partial None
An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the PurchaseRequest.do serviceRequestId parameter.
23 CVE-2019-12542 79 XSS 2019-06-05 2019-06-06
4.3
None Remote Medium Not required None Partial None
An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SearchN.do userConfigID parameter.
24 CVE-2019-12541 79 XSS 2019-06-05 2019-06-06
4.3
None Remote Medium Not required None Partial None
An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SolutionSearch.do searchText parameter.
25 CVE-2019-12540 79 XSS 2019-07-11 2019-07-15
4.3
None Remote Medium Not required None Partial None
An issue was discovered in Zoho ManageEngine ServiceDesk Plus 10.5. There is XSS via the WorkOrder.do search field.
26 CVE-2019-12539 79 XSS 2019-07-11 2021-01-13
4.3
None Remote Medium Not required None Partial None
An issue was discovered in the Purchase component of Zoho ManageEngine ServiceDesk Plus. There is XSS via the SearchN.do search field, a different vulnerability than CVE-2019-12189.
27 CVE-2019-12538 79 XSS 2019-06-05 2019-06-06
4.3
None Remote Medium Not required None Partial None
An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SiteLookup.do search field.
28 CVE-2019-12537 79 XSS 2019-07-11 2019-07-25
4.3
None Remote Medium Not required None Partial None
An issue was discovered in Zoho ManageEngine AssetExplorer. There is XSS via the SearchN.do search field.
29 CVE-2019-12189 79 XSS 2019-05-21 2019-05-23
4.3
None Remote Medium Not required None Partial None
An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SearchN.do search field.
30 CVE-2019-11676 79 XSS 2019-05-02 2019-05-03
4.3
None Remote Medium Not required None Partial None
The user defined DNS name in Zoho ManageEngine Firewall Analyzer before 12.3 Build 123224 is vulnerable to stored XSS attacks.
31 CVE-2019-11511 79 XSS 2019-04-25 2019-06-03
4.3
None Remote Medium Not required None Partial None
Zoho ManageEngine ADSelfService Plus before build 5708 has XSS via the mobile app API.
32 CVE-2019-8929 79 XSS 2019-05-17 2019-05-17
4.3
None Remote Medium Not required None Partial None
An issue was discovered in Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2. XSS exists in the Administration zone /netflow/jspui/selectDevice.jsp file in these GET parameters: param and rtype.
33 CVE-2019-8928 79 XSS 2019-05-17 2019-05-17
4.3
None Remote Medium Not required None Partial None
An issue was discovered in Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2. XSS exists in /netflow/jspui/userManagementForm.jsp via these GET parameters: authMeth, passWord, pwd1, and userName.
34 CVE-2019-8927 79 XSS 2019-05-17 2019-05-17
4.3
None Remote Medium Not required None Partial None
An issue was discovered in Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2. XSS exists in the Administration zone /netflow/jspui/scheduleConfig.jsp file via these GET parameters: devSrc, emailId, excWeekModify, filterFlag, getFilter, mailReport, mset, popup, rep_schedule, rep_Type, schDesc, schName, schSource, selectDeviceDone, task, val10, and val11.
35 CVE-2019-8926 79 XSS 2019-05-17 2019-05-17
4.3
None Remote Medium Not required None Partial None
An issue was discovered in Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2. XSS exists in the Administration zone /netflow/jspui/popup1.jsp file via these GET parameters: bussAlert, customDev, and selSource.
36 CVE-2019-8346 79 XSS CSRF 2019-05-24 2019-05-29
4.3
None Remote Medium Not required None Partial None
In Zoho ManageEngine ADSelfService Plus 5.x through 5704, an authorization.do cross-site Scripting (XSS) vulnerability allows for an unauthenticated manipulation of the JavaScript code by injecting the HTTP form parameter adscsrf. An attacker can use this to capture a user's AD self-service password reset and MFA token.
37 CVE-2019-7427 79 XSS 2019-05-07 2019-05-08
4.3
None Remote Medium Not required None Partial None
XSS exists in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 in the Administration zone "/netflow/jspui/linkdownalertConfig.jsp" file in the autorefTime or graphTypes parameter.
38 CVE-2019-7426 79 XSS 2019-05-07 2019-05-08
4.3
None Remote Medium Not required None Partial None
XSS exists in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 in the Administration zone "/netflow/jspui/linkdownalertConfig.jsp" file in the groupDesc, groupName, groupID, or task parameter.
39 CVE-2019-7425 79 XSS 2019-03-21 2019-10-30
4.3
None Remote Medium Not required None Partial None
XSS exists in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 in the Administration zone "/netflow/jspui/linkdownalertConfig.jsp" file in the task parameter.
40 CVE-2019-7424 79 XSS 2019-03-21 2019-03-22
4.3
None Remote Medium Not required None Partial None
XSS exists in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 in the Administration zone "/netflow/jspui/index.jsp" file in the view GET parameter or any of these POST parameters: autorefTime, section, snapshot, viewOpt, viewAll, view, or groupSelName. The latter is related to CVE-2009-3903.
41 CVE-2019-7423 79 XSS 2019-03-21 2019-03-22
4.3
None Remote Medium Not required None Partial None
XSS exists in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 in the Administration zone "/netflow/jspui/editProfile.jsp" file in the userName parameter.
42 CVE-2019-7422 79 XSS 2019-03-21 2019-03-22
4.3
None Remote Medium Not required None Partial None
XSS exists in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 in the Administration zone "/netflow/jspui/addMailSettings.jsp" file in the gF parameter.
43 CVE-2018-20485 79 XSS 2018-12-26 2019-05-10
4.3
None Remote Medium Not required None Partial None
Zoho ManageEngine ADSelfService Plus 5.7 before build 5702 has XSS in the employee search feature.
44 CVE-2018-20484 79 XSS 2018-12-26 2019-05-10
4.3
None Remote Medium Not required None Partial None
Zoho ManageEngine ADSelfService Plus 5.7 before build 5702 has XSS in the self-update layout implementation.
45 CVE-2018-20339 79 XSS 2018-12-21 2021-05-04
4.3
None Remote Medium Not required None Partial None
Zoho ManageEngine OpManager 12.3 before build 123239 allows XSS in the Notes column of the Alarms section.
46 CVE-2018-19921 79 XSS 2018-12-06 2021-05-04
4.3
None Remote Medium Not required None Partial None
Zoho ManageEngine OpManager 12.3 before 123237 has XSS in the domain controller.
47 CVE-2018-19288 79 XSS 2018-11-15 2021-05-04
4.3
None Remote Medium Not required None Partial None
Zoho ManageEngine OpManager 12.3 before Build 123223 has XSS via the updateWidget API.
48 CVE-2018-18716 79 XSS 2018-11-20 2021-05-04
4.3
None Remote Medium Not required None Partial None
Zoho ManageEngine OpManager 12.3 before 123219 has a Self XSS Vulnerability.
49 CVE-2018-18715 79 XSS 2018-11-20 2021-05-04
4.3
None Remote Medium Not required None Partial None
Zoho ManageEngine OpManager 12.3 before 123219 has stored XSS.
50 CVE-2018-18262 79 XSS 2018-10-17 2021-05-04
4.3
None Remote Medium Not required None Partial None
Zoho ManageEngine OpManager 12.3 before build 123214 has XSS.
Total number of vulnerabilities : 87   Page : 1 (This Page)2
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.