Filtered by vendor Zohocorp
Subscriptions
Filtered by product Manageengine Applications Manager
Subscriptions
Total
52 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-5678 | 1 Zohocorp | 1 Manageengine Applications Manager | 2024-08-15 | 4.7 Medium |
| Zohocorp ManageEngine Applications Manager versions 170900 and below are vulnerable to the authenticated admin-only SQL Injection in the Create Monitor feature. | ||||
| CVE-2014-7863 | 1 Zohocorp | 3 Manageengine Applications Manager, Manageengine It360, Manageengine Opmanager | 2024-08-06 | 7.5 High |
| The FailOverHelperServlet (aka FailServlet) servlet in ZOHO ManageEngine Applications Manager before 11.9 build 11912, OpManager 8 through 11.5 build 11400, and IT360 10.5 and earlier does not properly restrict access, which allows remote attackers and remote authenticated users to (1) read arbitrary files via the fileName parameter in a copyfile operation or (2) obtain sensitive information via a directory listing in a listdirectory operation to servlet/FailOverHelperServlet. | ||||
| CVE-2016-9498 | 1 Zohocorp | 1 Manageengine Applications Manager | 2024-08-06 | N/A |
| ManageEngine Applications Manager 12 and 13 before build 13200, allows unserialization of unsafe Java objects. The vulnerability can be exploited by remote user without authentication and it allows to execute remote code compromising the application as well as the operating system. As Application Manager's RMI registry is running with privileges of system administrator, by exploiting this vulnerability an attacker gains highest privileges on the underlying operating system. | ||||
| CVE-2016-9491 | 1 Zohocorp | 1 Manageengine Applications Manager | 2024-08-06 | N/A |
| ManageEngine Applications Manager 12 and 13 before build 13690 allows an authenticated user, who is able to access /register.do page (most likely limited to administrator), to browse the filesystem and read the system files, including Applications Manager configuration, stored private keys, etc. By default Application Manager is running with administrative privileges, therefore it is possible to access every directory on the underlying operating system. | ||||
| CVE-2016-9489 | 1 Zohocorp | 1 Manageengine Applications Manager | 2024-08-06 | N/A |
| In ManageEngine Applications Manager 12 and 13 before build 13200, an authenticated user is able to alter all of their own properties, including own group, i.e. changing their group to one with higher privileges like "ADMIN". A user is also able to change properties of another user, e.g. change another user's password. | ||||
| CVE-2017-16851 | 1 Zohocorp | 1 Manageengine Applications Manager | 2024-08-05 | N/A |
| Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /MyPage.do widgetid parameter. | ||||
| CVE-2017-16849 | 1 Zohocorp | 1 Manageengine Applications Manager | 2024-08-05 | N/A |
| Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /MyPage.do?method=viewDashBoard forpage parameter. | ||||
| CVE-2017-16848 | 1 Zohocorp | 1 Manageengine Applications Manager | 2024-08-05 | N/A |
| Zoho ManageEngine Applications Manager 13 allows SQL injection via the /manageConfMons.do groupname parameter. | ||||
| CVE-2017-16847 | 1 Zohocorp | 1 Manageengine Applications Manager | 2024-08-05 | N/A |
| Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /showresource.do resourceid parameter in a showPlasmaView action. | ||||
| CVE-2017-16850 | 1 Zohocorp | 1 Manageengine Applications Manager | 2024-08-05 | N/A |
| Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /showresource.do resourceid parameter in a getResourceProfiles action. | ||||
| CVE-2017-16846 | 1 Zohocorp | 1 Manageengine Applications Manager | 2024-08-05 | N/A |
| Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /manageApplications.do?method=AddSubGroup haid parameter. | ||||
| CVE-2017-16543 | 1 Zohocorp | 1 Manageengine Applications Manager | 2024-08-05 | N/A |
| Zoho ManageEngine Applications Manager 13 before build 13500 allows SQL injection via GraphicalView.do, as demonstrated by a crafted viewProps yCanvas field or viewid parameter. | ||||
| CVE-2017-16542 | 1 Zohocorp | 1 Manageengine Applications Manager | 2024-08-05 | N/A |
| Zoho ManageEngine Applications Manager 13 before build 13500 allows Post-authentication SQL injection via the name parameter in a manageApplications.do?method=insert request. | ||||
| CVE-2017-11740 | 1 Zohocorp | 1 Manageengine Applications Manager | 2024-08-05 | N/A |
| In Zoho ManageEngine Application Manager 13.1 Build 13100, the administrative user has the ability to upload files/binaries that can be executed upon the occurrence of an alarm. An attacker can abuse this functionality by uploading a malicious script that can be executed on the remote system. | ||||
| CVE-2017-11738 | 1 Zohocorp | 1 Manageengine Applications Manager | 2024-08-05 | N/A |
| In Zoho ManageEngine Application Manager prior to 14.6 Build 14660, the 'haid' parameter of the '/auditLogAction.do' module is vulnerable to a Time-based Blind SQL Injection attack. | ||||
| CVE-2017-11739 | 1 Zohocorp | 1 Manageengine Applications Manager | 2024-08-05 | N/A |
| In Zoho ManageEngine Application Manager 13.1 Build 13100, an authenticated user, with administrative privileges, has the ability to add a widget on any dashboard. This widget can be a "Utility Widget" with a "Custom HTML or Text" field. Once this widget is created, it will be loaded on the dashboard where it was added. An attacker can abuse this functionality by creating a "Utility Widget" that contains malicious JavaScript code, aka XSS. | ||||
| CVE-2017-11557 | 1 Zohocorp | 1 Manageengine Applications Manager | 2024-08-05 | N/A |
| An issue was discovered in ZOHO ManageEngine Applications Manager 12.3. It is possible for an unauthenticated user to view the list of domain names and usernames used in a company's network environment via a userconfiguration.do?method=editUser request. | ||||
| CVE-2018-16364 | 1 Zohocorp | 1 Manageengine Applications Manager | 2024-08-05 | 8.1 High |
| A serialization vulnerability in Zoho ManageEngine Applications Manager before build 13740 allows for remote code execution on Windows via a payload on an SMB share. | ||||
| CVE-2018-15168 | 1 Zohocorp | 1 Manageengine Applications Manager | 2024-08-05 | N/A |
| A SQL Injection vulnerability exists in the Zoho ManageEngine Applications Manager 13 before build 13820 via the resids parameter in a /editDisplaynames.do?method=editDisplaynames GET request. | ||||
| CVE-2018-15169 | 1 Zohocorp | 1 Manageengine Applications Manager | 2024-08-05 | N/A |
| A reflected Cross-site scripting (XSS) vulnerability in Zoho ManageEngine Applications Manager 13 before build 13820 allows remote attackers to inject arbitrary web script or HTML via the /deleteMO.do method parameter. | ||||