| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| A directory traversal vulnerability exists in the uploadMib functionality of ManageEngine OpManager 12.7.258. A specially crafted HTTP request can lead to arbitrary file creation. An attacker can send a malicious MiB file to trigger this vulnerability. |
| Zoho ManageEngine ServiceDesk Plus before 11302 is vulnerable to authentication bypass that allows a few REST-API URLs without authentication. |
| Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulnerable to unauthenticated remote code execution. This is related to /RestAPI URLs in a servlet, and ImportTechnicians in the Struts configuration. |
| Zoho ManageEngine ADSelfService Plus before build 6122 allows a remote authenticated administrator to execute arbitrary operating OS commands as SYSTEM via the policy custom script feature. Due to the use of a default administrator password, attackers may be able to abuse this functionality with minimal effort. Additionally, a remote and partially authenticated attacker may be able to inject arbitrary commands into the custom script due to an unsanitized password field. |
| Zoho ManageEngine Password Manager Pro before 12101 and PAM360 before 5510 are vulnerable to unauthenticated remote code execution. (This also affects ManageEngine Access Manager Plus before 4303 with authentication.) |
| ZohoCorp ManageEngine Endpoint Central versions earlier than 11.4.2508.14, 11.4.2516.06, and 11.4.2518.01 are affected by an arbitrary file deletion vulnerability in the agent setup component. |
| ZohoCorp ManageEngine Endpoint Central versions prior to 11.4.2528.05 are vulnerable to a sensitive information logging issue. An authenticated user with access to the logs could potentially obtain the sensitive agent token. |
| Zohocorp ManageEngine Applications Manager versions 176800 and below are vulnerable to information disclosure in File/Directory monitor. |
| Zohocorp ManageEngine EndPoint Central versions 11.4.2516.1 and prior are vulnerable to XML Injection. |
| ZohoCorp ManageEngine Endpoint Central was impacted by an improper privilege management issue in the agent setup.
This issue affects Endpoint Central: through 11.4.2500.25, through 11.4.2508.13. |
| Zohocorp ManageEngine ADSelfService Plus versions 6513 and prior are vulnerable to authenticated SQL injection in the MFA reports. |
| Zohocorp ManageEngine ADSelfService Plus versions 6510 and below are vulnerable to account takeover due to the session mishandling. Valid account holders in the setup only have the potential to exploit this bug. |
| Zohocorp ManageEngine Applications Manager versions 174000 and prior are vulnerable to the incorrect authorization in the update user function. |
| Zohocorp ManageEngine Exchange reporter Plus version 5722 and below are vulnerable to Stored XSS in the Attachments by filename keyword report. |
| Zohocorp ManageEngine Exchange reporter Plus version 5722 and below are vulnerable to Stored XSS in the Folder-wise read mails with subject report. |
| Zohocorp ManageEngine Analytics Plus versions below 6100 are vulnerable to authenticated sensitive data exposure which allows the users to retrieve sensitive tokens associated to the org-admin account. |
| Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, Firewall Analyzer, and OpUtils before 2022-07-27 through 2022-07-28 (125657, 126002, 126104, and 126118) allow unauthenticated attackers to obtain a user's API key, and then access external APIs. |
| Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10012 allows remote attackers to upload arbitrary files via login page customization. |
| Zoho ManageEngine Desktop Central before 10.0.474 allows remote code execution because of deserialization of untrusted data in getChartImage in the FileStorage class. This is related to the CewolfServlet and MDMLogUploaderServlet servlets. |
| Zoho ManageEngine Desktop Central is vulnerable to authentication bypass, leading to remote code execution on the server, as exploited in the wild in December 2021. For Enterprise builds 10.1.2127.17 and earlier, upgrade to 10.1.2127.18. For Enterprise builds 10.1.2128.0 through 10.1.2137.2, upgrade to 10.1.2137.3. For MSP builds 10.1.2127.17 and earlier, upgrade to 10.1.2127.18. For MSP builds 10.1.2128.0 through 10.1.2137.2, upgrade to 10.1.2137.3. |
