ReportizFlow
Filtered by vendor Zohocorp
Subscriptions
Total
496 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2019-19649 | 1 Zohocorp | 1 Manageengine Applications Manager | 2024-11-21 | 9.8 Critical |
| Zoho ManageEngine Applications Manager before 13620 allows a remote unauthenticated SQL injection via the SyncEventServlet eventid parameter to the SyncEventServlet.java doGet function. | ||||
| CVE-2019-19475 | 1 Zohocorp | 1 Manageengine Applications Manager | 2024-11-21 | 8.8 High |
| An issue was discovered in ManageEngine Applications Manager 14 with Build 14360. Integrated PostgreSQL which is built-in in Applications Manager is prone to attack due to lack of file permission security. The malicious users who are in “Authenticated Users” group can exploit privilege escalation and modify PostgreSQL configuration to execute arbitrary command to escalate and gain full system privilege user access and rights over the system. | ||||
| CVE-2019-19034 | 1 Zohocorp | 1 Manageengine Assetexplorer | 2024-11-21 | 7.2 High |
| Zoho ManageEngine Asset Explorer 6.5 does not validate the System Center Configuration Manager (SCCM) database username when dynamically generating a command to schedule scans for SCCM. This allows an attacker to execute arbitrary commands on the AssetExplorer Server with NT AUTHORITY/SYSTEM privileges. | ||||
| CVE-2019-18781 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2024-11-21 | 6.1 Medium |
| An open redirect vulnerability was discovered in Zoho ManageEngine ADSelfService Plus 5.x before 5809 that allows attackers to force users who click on a crafted link to be sent to a specified external site. | ||||
| CVE-2019-18411 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2024-11-21 | 8.8 High |
| Zoho ManageEngine ADSelfService Plus 5.x through 5803 has CSRF on the users' profile information page. Users who are attacked with this vulnerability will be forced to modify their enrolled information, such as email and mobile phone, unintentionally. Attackers could use the reset password function and control the system to send the authentication code back to the channel that the attackers own. | ||||
| CVE-2019-17602 | 1 Zohocorp | 1 Manageengine Opmanager | 2024-11-21 | 9.8 Critical |
| An issue was discovered in Zoho ManageEngine OpManager before 12.4 build 124089. The OPMDeviceDetailsServlet servlet is prone to SQL injection. Depending on the configuration, this vulnerability could be exploited unauthenticated or authenticated. | ||||
| CVE-2019-17421 | 1 Zohocorp | 2 Manageengine Firewall Analyzer, Manageengine Opmanager | 2024-11-21 | 7.8 High |
| Incorrect file permissions on the packaged Nipper executable file in Zoho ManageEngine OpManager 12.4.072 and Firewall Analyzer 12.4.072 allow local users to elevate privileges to root by overwriting this file with a malicious payload. | ||||
| CVE-2019-17112 | 1 Zohocorp | 1 Manageengine Datasecurity Plus | 2024-11-21 | 4.3 Medium |
| An issue was discovered in Zoho ManageEngine DataSecurity Plus before 5.0.1 5012. An exposed service allows a basic user ("Operator" access level) to access the configuration file of the mail server (except for the password). | ||||
| CVE-2019-16962 | 1 Zohocorp | 1 Manageengine Desktop Central | 2024-11-21 | 5.4 Medium |
| Zoho ManageEngine Desktop Central 10.0.430 allows HTML injection via a modified Report Name in a New Custom Report. | ||||
| CVE-2019-16268 | 1 Zohocorp | 1 Manageengine Remote Access Plus | 2024-11-21 | 4.8 Medium |
| Zoho ManageEngine Remote Access Plus 10.0.259 allows HTML injection via the Description field on the Admin - User Administration userMgmt.do?actionToCall=ShowUser screen. | ||||
| CVE-2019-15510 | 1 Zohocorp | 1 Manageengine Desktop Central | 2024-11-21 | 6.1 Medium |
| ManageEngine_DesktopCentral.exe in Zoho ManageEngine Desktop Central 10 allows HTML injection on the user administration page via the description of a role. | ||||
| CVE-2019-15106 | 1 Zohocorp | 1 Manageengine Opmanager | 2024-11-21 | N/A |
| An issue was discovered in Zoho ManageEngine OpManager in builds before 14310. One can bypass the user password requirement and execute commands on the server. The "username+'@opm' string is used for the password. For example, if the username is admin, the password is admin@opm. | ||||
| CVE-2019-15105 | 1 Zohocorp | 1 Manageengine Applications Manager | 2024-11-21 | N/A |
| An issue was discovered in Zoho ManageEngine Application Manager through 14.2. There is a SQL Injection vulnerability in jsp/NewThresholdConfiguration.jsp via the resourceid parameter. Therefore, a low-authority user can gain the authority of SYSTEM on the server. One can consequently upload a malicious file using the "Execute Program Action(s)" feature. | ||||
| CVE-2019-15104 | 1 Zohocorp | 1 Manageengine Applications Manager | 2024-11-21 | N/A |
| An issue was discovered in Zoho ManageEngine OpManager through 12.4x. There is a SQL Injection vulnerability in jsp/NewThresholdConfiguration.jsp via the resourceid parameter. Therefore, a low-authority user can gain the authority of SYSTEM on the server. One can consequently upload a malicious file using the "Execute Program Action(s)" feature. | ||||
| CVE-2019-15083 | 1 Zohocorp | 1 Manageengine Servicedesk Plus | 2024-11-21 | 6.1 Medium |
| Default installations of Zoho ManageEngine ServiceDesk Plus 10.0 before 10500 are vulnerable to XSS injected by a workstation local administrator. Using the installed program names of the computer as a vector, the local administrator can execute code on the Manage Engine ServiceDesk administrator side. At "Asset Home > Server > <workstation> > software" the administrator of ManageEngine can control what software is installed on the workstation. This table shows all the installed program names in the Software column. In this field, a remote attacker can inject malicious code in order to execute it when the ManageEngine administrator visualizes this page. | ||||
| CVE-2019-15046 | 1 Zohocorp | 1 Manageengine Servicedesk Plus | 2024-11-21 | 7.5 High |
| Zoho ManageEngine ServiceDesk Plus 10 before 10509 allows unauthenticated sensitive information leakage during Fail Over Service (FOS) replication, aka SD-79989. | ||||
| CVE-2019-15045 | 1 Zohocorp | 1 Manageengine Servicedesk Plus | 2024-11-21 | N/A |
| AjaxDomainServlet in Zoho ManageEngine ServiceDesk Plus 10 allows User Enumeration. NOTE: the vendor's position is that this is intended functionality | ||||
| CVE-2019-14693 | 1 Zohocorp | 1 Manageengine Assetexplorer | 2024-11-21 | N/A |
| Zoho ManageEngine AssetExplorer 6.2.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing license XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. | ||||
| CVE-2019-12994 | 1 Zohocorp | 1 Manageengine Assetexplorer | 2024-11-21 | N/A |
| Server Side Request Forgery (SSRF) exists in Zoho ManageEngine AssetExplorer version 6.2.0 for the AJaxServlet servlet via a parameter in a URL. | ||||
| CVE-2019-12959 | 1 Zohocorp | 1 Manageengine Assetexplorer | 2024-11-21 | N/A |
| Server Side Request Forgery (SSRF) exists in Zoho ManageEngine AssetExplorer 6.2.0 and before for the ClientUtilServlet servlet via a URL in a parameter. | ||||