Filtered by vendor Zohocorp Subscriptions
Total 491 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2021-20108 1 Zohocorp 1 Manageengine Assetexplorer 2024-11-21 7.5 High
Manage Engine Asset Explorer Agent 1.0.34 listens on port 9000 for incoming commands over HTTPS from Manage Engine Server. The HTTPS certificates are not verified which allows any arbitrary user on the network to send commands over port 9000. While these commands may not be executed (due to authtoken validation), the Asset Explorer agent will reach out to the manage engine server for an HTTP request. During this process, AEAgent.cpp allocates 0x66 bytes using "malloc". This memory is never free-ed in the program, causing a memory leak. Additionally, the instruction sent to aeagent (ie: NEWSCAN, DELTASCAN, etc) is converted to a unicode string, but is never freed. These memory leaks allow a remote attacker to exploit a Denial of Service scenario through repetitively sending these commands to an agent and eventually crashing it the agent due to an out-of-memory condition.
CVE-2021-20081 2 Microsoft, Zohocorp 2 Windows, Manageengine Servicedesk Plus 2024-11-21 7.2 High
Incomplete List of Disallowed Inputs in ManageEngine ServiceDesk Plus before version 11205 allows a remote, authenticated attacker to execute arbitrary commands with SYSTEM privileges.
CVE-2021-20080 1 Zohocorp 1 Manageengine Servicedesk Plus 2024-11-21 6.1 Medium
Insufficient output sanitization in ManageEngine ServiceDesk Plus before version 11200 and ManageEngine AssetExplorer before version 6800 allows a remote, unauthenticated attacker to conduct persistent cross-site scripting (XSS) attacks by uploading a crafted XML asset file.
CVE-2021-20078 1 Zohocorp 1 Manageengine Opmanager 2024-11-21 9.1 Critical
Manage Engine OpManager builds below 125346 are vulnerable to a remote denial of service vulnerability due to a path traversal issue in spark gateway component. This allows a remote attacker to remotely delete any directory or directories on the OS.
CVE-2020-9367 1 Zohocorp 1 Manageengine Desktop Central 2024-11-21 7.8 High
The MPS Agent in Zoho ManageEngine Desktop Central MSP build MSP build 10.0.486 is vulnerable to DLL Hijacking: dcinventory.exe and dcconfig.exe try to load CSUNSAPI.dll without supplying the complete path. The issue is aggravated because this DLL is missing from the installation, thus making it possible to hijack the DLL and subsequently inject code, leading to an escalation of privilege to NT AUTHORITY\SYSTEM.
CVE-2020-9347 1 Zohocorp 1 Manageengine Password Manager Pro 2024-11-21 9.8 Critical
Zoho ManageEngine Password Manager Pro through 10.x has a CSV Excel Macro Injection vulnerability via a crafted name that is mishandled by the Export Passwords feature. NOTE: the vendor disputes the significance of this report because they expect CSV risk mitigation to be provided by an external application, and do not plan to add CSV constraints to their own products
CVE-2020-9346 1 Zohocorp 1 Manageengine Password Manager Pro 2024-11-21 8.8 High
Zoho ManageEngine Password Manager Pro 10.4 and prior has no protection against Cross-site Request Forgery (CSRF) attacks, as demonstrated by changing a user's role.
CVE-2020-8838 1 Zohocorp 1 Manageengine Assetexplorer 2024-11-21 6.4 Medium
An issue was discovered in Zoho ManageEngine AssetExplorer 6.5. During an upgrade of the Windows agent, it does not validate the source and binary downloaded. This allows an attacker on an adjacent network to execute code with NT AUTHORITY/SYSTEM privileges on the agent machines by providing an arbitrary executable via a man-in-the-middle attack.
CVE-2020-8540 1 Zohocorp 1 Manageengine Desktop Central 2024-11-21 9.8 Critical
An XML external entity (XXE) vulnerability in Zoho ManageEngine Desktop Central before the 07-Mar-2020 update allows remote unauthenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request.
CVE-2020-8509 1 Zohocorp 1 Manageengine Desktop Central 2024-11-21 7.5 High
Zoho ManageEngine Desktop Central before 10.0.483 allows unauthenticated users to access PDFGenerationServlet, leading to sensitive information disclosure.
CVE-2020-8422 1 Zohocorp 1 Manageengine Remote Access Plus 2024-11-21 4.3 Medium
An authorization issue was discovered in the Credential Manager feature in Zoho ManageEngine Remote Access Plus before 10.0.450. A user with the Guest role can extract the collection of all defined credentials of remote machines: the credential name, credential type, user name, domain/workgroup name, and description (but not the password).
CVE-2020-6843 1 Zohocorp 1 Manageengine Servicedesk Plus 2024-11-21 4.8 Medium
Zoho ManageEngine ServiceDesk Plus 11.0 Build 11007 allows XSS. This issue was fixed in version 11.0 Build 11010, SD-83959.
CVE-2020-35765 1 Zohocorp 1 Manageengine Applications Manager 2024-11-21 8.8 High
doFilter in com.adventnet.appmanager.filter.UriCollector in Zoho ManageEngine Applications Manager through 14930 allows an authenticated SQL Injection via the resourceid parameter to showresource.do.
CVE-2020-35682 1 Zohocorp 1 Manageengine Servicedesk Plus 2024-11-21 8.8 High
Zoho ManageEngine ServiceDesk Plus before 11134 allows an Authentication Bypass (only during SAML login).
CVE-2020-35594 1 Zohocorp 1 Manageengine Admanager Plus 2024-11-21 6.1 Medium
Zoho ManageEngine ADManager Plus before 7066 allows XSS.
CVE-2020-29658 1 Zohocorp 1 Manageengine Applications Control Plus 2024-11-21 9.8 Critical
Zoho ManageEngine Application Control Plus before 100523 has an insecure SSL configuration setting for Nginx, leading to Privilege Escalation.
CVE-2020-28679 1 Zohocorp 1 Manageengine Applications Manager 2024-11-21 8.8 High
A vulnerability in the showReports module of Zoho ManageEngine Applications Manager before build 14550 allows authenticated attackers to execute a SQL injection via a crafted request.
CVE-2020-28653 1 Zohocorp 1 Manageengine Opmanager 2024-11-21 9.8 Critical
Zoho ManageEngine OpManager Stable build before 125203 (and Released build before 125233) allows Remote Code Execution via the Smart Update Manager (SUM) servlet.
CVE-2020-28050 1 Zohocorp 1 Manageengine Desktop Central 2024-11-21 9.1 Critical
Zoho ManageEngine Desktop Central before build 10.0.647 allows a single authentication secret from multiple agents to communicate with the server.
CVE-2020-27995 1 Zohocorp 1 Manageengine Applications Manager 2024-11-21 9.8 Critical
SQL Injection in Zoho ManageEngine Applications Manager 14 before 14560 allows an attacker to execute commands on the server via the MyPage.do template_resid parameter.