ReportizFlow
Filtered by vendor Zohocorp
Subscriptions
Total
496 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-15533 | 1 Zohocorp | 1 Manageengine Applications Manager | 2024-11-21 | 9.8 Critical |
| In Zoho ManageEngine Application Manager 14.7 Build 14730 (before 14684, and between 14689 and 14750), the AlarmEscalation module is vulnerable to unauthenticated SQL Injection attack. | ||||
| CVE-2020-15521 | 1 Zohocorp | 1 Manageengine Applications Manager | 2024-11-21 | 6.1 Medium |
| Zoho ManageEngine Applications Manager before 14 build 14730 has no protection against jsp/header.jsp Cross-site Scripting (XSS) . | ||||
| CVE-2020-15394 | 1 Zohocorp | 1 Manageengine Applications Manager | 2024-11-21 | 9.8 Critical |
| The REST API in Zoho ManageEngine Applications Manager before build 14740 allows an unauthenticated SQL Injection via a crafted request, leading to Remote Code Execution. | ||||
| CVE-2020-14048 | 1 Zohocorp | 1 Manageengine Servicedesk Plus | 2024-11-21 | 7.5 High |
| Zoho ManageEngine ServiceDesk Plus before 11.1 build 11115 allows remote unauthenticated attackers to change the installation status of deployed agents. | ||||
| CVE-2020-14008 | 1 Zohocorp | 1 Manageengine Applications Manager | 2024-11-21 | 7.2 High |
| Zoho ManageEngine Applications Manager 14710 and before allows an authenticated admin user to upload a vulnerable jar in a specific location, which leads to remote code execution. | ||||
| CVE-2020-13818 | 1 Zohocorp | 1 Manageengine Opmanager | 2024-11-21 | 7.5 High |
| In Zoho ManageEngine OpManager before 125144, when <cachestart> is used, directory traversal validation can be bypassed. | ||||
| CVE-2020-13154 | 1 Zohocorp | 1 Manageengine Servicedesk Plus | 2024-11-21 | 6.5 Medium |
| Zoho ManageEngine Service Plus before 11.1 build 11112 allows low-privilege authenticated users to discover the File Protection password via a getFileProtectionSettings call to AjaxServlet. | ||||
| CVE-2020-12116 | 1 Zohocorp | 1 Manageengine Opmanager | 2024-11-21 | 7.5 High |
| Zoho ManageEngine OpManager Stable build before 124196 and Released build before 125125 allows an unauthenticated attacker to read arbitrary files on the server by sending a crafted request. | ||||
| CVE-2020-11946 | 1 Zohocorp | 1 Manageengine Opmanager | 2024-11-21 | 7.5 High |
| Zoho ManageEngine OpManager before 125120 allows an unauthenticated user to retrieve an API key via a servlet call. | ||||
| CVE-2020-11552 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2024-11-21 | 9.8 Critical |
| An elevation of privilege vulnerability exists in ManageEngine ADSelfService Plus before build 6003 because it does not properly enforce user privileges associated with a Certificate dialog. This vulnerability could allow an unauthenticated attacker to escalate privileges on a Windows host. An attacker does not require any privilege on the target system in order to exploit this vulnerability. One option is the self-service option on the Windows login screen. Upon selecting this option, the thick-client software is launched, which connects to a remote ADSelfService Plus server to facilitate self-service operations. An unauthenticated attacker having physical access to the host could trigger a security alert by supplying a self-signed SSL certificate to the client. The View Certificate option from the security alert allows an attacker to export a displayed certificate to a file. This can further cascade to a dialog that can open Explorer as SYSTEM. By navigating from Explorer to \windows\system32, cmd.exe can be launched as a SYSTEM. | ||||
| CVE-2020-11532 | 1 Zohocorp | 2 Manageengine Adaudit Plus, Manageengine Datasecurity Plus | 2024-11-21 | 9.8 Critical |
| Zoho ManageEngine DataSecurity Plus prior to 6.0.1 uses default admin credentials to communicate with a DataEngine Xnode server. This allows an attacker to bypass authentication for this server and execute all operations in the context of admin user. | ||||
| CVE-2020-11531 | 1 Zohocorp | 2 Manageengine Adaudit Plus, Manageengine Datasecurity Plus | 2024-11-21 | 8.8 High |
| The DataEngine Xnode Server application in Zoho ManageEngine DataSecurity Plus prior to 6.0.1 does not validate the database schema name when handling a DR-SCHEMA-SYNC request. This allows an authenticated attacker to execute code in the context of the product by writing a JSP file to the webroot directory via directory traversal. | ||||
| CVE-2020-11527 | 1 Zohocorp | 1 Manageengine Opmanager | 2024-11-21 | 7.5 High |
| In Zoho ManageEngine OpManager before 12.4.181, an unauthenticated remote attacker can send a specially crafted URI to read arbitrary files. | ||||
| CVE-2020-11518 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2024-11-21 | 9.8 Critical |
| Zoho ManageEngine ADSelfService Plus before 5815 allows unauthenticated remote code execution. | ||||
| CVE-2020-10859 | 1 Zohocorp | 1 Manageengine Desktop Central | 2024-11-21 | 6.5 Medium |
| Zoho ManageEngine Desktop Central before 10.0.484 allows authenticated arbitrary file writes during ZIP archive extraction via Directory Traversal in a crafted AppDependency API request. | ||||
| CVE-2020-10816 | 1 Zohocorp | 1 Manageengine Applications Manager | 2024-11-21 | 7.5 High |
| Zoho ManageEngine Applications Manager 14780 and before allows a remote unauthenticated attacker to register managed servers via AAMRequestProcessor servlet. | ||||
| CVE-2020-10541 | 1 Zohocorp | 1 Manageengine Opmanager | 2024-11-21 | 9.8 Critical |
| Zoho ManageEngine OpManager before 12.4.179 allows remote code execution via a specially crafted Mail Server Settings v1 API request. This was fixed in 12.5.108. | ||||
| CVE-2020-10189 | 1 Zohocorp | 1 Manageengine Desktop Central | 2024-11-21 | 9.8 Critical |
| Zoho ManageEngine Desktop Central before 10.0.474 allows remote code execution because of deserialization of untrusted data in getChartImage in the FileStorage class. This is related to the CewolfServlet and MDMLogUploaderServlet servlets. | ||||
| CVE-2019-8929 | 1 Zohocorp | 1 Manageengine Netflow Analyzer | 2024-11-21 | N/A |
| An issue was discovered in Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2. XSS exists in the Administration zone /netflow/jspui/selectDevice.jsp file in these GET parameters: param and rtype. | ||||
| CVE-2019-8928 | 1 Zohocorp | 1 Manageengine Netflow Analyzer | 2024-11-21 | N/A |
| An issue was discovered in Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2. XSS exists in /netflow/jspui/userManagementForm.jsp via these GET parameters: authMeth, passWord, pwd1, and userName. | ||||