Filtered by vendor Zohocorp
Subscriptions
Total
491 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2018-12999 | 1 Zohocorp | 1 Manageengine Desktop Central | 2024-11-21 | N/A |
Incorrect Access Control in AgentTrayIconServlet in Zoho ManageEngine Desktop Central 10.0.255 allows attackers to delete certain files on the web server without login by sending a specially crafted request to the server with a computerName=../ substring to the /agenttrayicon URI. | ||||
CVE-2018-12998 | 1 Zohocorp | 5 Firewall Analyzer, Manageengine Netflow Analyzer, Manageengine Network Configuration Manager and 2 more | 2024-11-21 | 6.1 Medium |
A reflected Cross-site scripting (XSS) vulnerability in Zoho ManageEngine Netflow Analyzer before build 123137, Network Configuration Manager before build 123128, OpManager before build 123148, OpUtils before build 123161, and Firewall Analyzer before build 123147 allows remote attackers to inject arbitrary web script or HTML via the parameter 'operation' to /servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet. | ||||
CVE-2018-12997 | 1 Zohocorp | 5 Firewall Analyzer, Manageengine Netflow Analyzer, Manageengine Network Configuration Manager and 2 more | 2024-11-21 | 7.5 High |
Incorrect Access Control in FailOverHelperServlet in Zoho ManageEngine Netflow Analyzer before build 123137, Network Configuration Manager before build 123128, OpManager before build 123148, OpUtils before build 123161, and Firewall Analyzer before build 123147 allows attackers to read certain files on the web server without login by sending a specially crafted request to the server with the operation=copyfile&fileName= substring. | ||||
CVE-2018-12996 | 1 Zohocorp | 1 Manageengine Applications Manager | 2024-11-21 | N/A |
A reflected Cross-site scripting (XSS) vulnerability in Zoho ManageEngine Applications Manager before 13 (Build 13800) allows remote attackers to inject arbitrary web script or HTML via the parameter 'method' to GraphicalView.do. | ||||
CVE-2018-11808 | 1 Zohocorp | 1 Manageengine Applications Manager | 2024-11-21 | N/A |
Incorrect Access Control in CustomFieldsFeedServlet in Zoho ManageEngine Applications Manager Version 13 before build 13740 allows an attacker to delete any file and read certain files on the server in the context of the user (which by default is "NT AUTHORITY / SYSTEM") by sending a specially crafted request to the server. | ||||
CVE-2018-11717 | 1 Zohocorp | 1 Manageengine Desktop Central | 2024-11-21 | N/A |
An issue was discovered in Zoho ManageEngine Desktop Central before 100251. By leveraging access to a log file, a context-dependent attacker can obtain (depending on the modules configured) the Base64 encoded Password/Username of AD accounts, the cleartext Password/Username and mail settings of the EAS account (an AD account used to send mail), the cleartext password of recovery_password of Android devices, the cleartext password of account "set", the location of devices enrolled in the platform (with UUID and information related to the name of the person at the location), critical information about all enrolled devices such as Serial Number, UUID, Model, Name, and auth_session_token (usable to spoof a terminal identity on the platform), etc. | ||||
CVE-2018-11716 | 1 Zohocorp | 1 Manageengine Desktop Central | 2024-11-21 | N/A |
An issue was discovered in Zoho ManageEngine Desktop Central before 100230. There is unauthenticated remote access to all log files of a Desktop Central instance containing critical information (private information such as location of enrolled devices, cleartext passwords, patching level, etc.) via a GET request on port 8022, 8443, or 8444. | ||||
CVE-2018-10803 | 1 Zohocorp | 1 Manageengine Netflow Analyzer | 2024-11-21 | N/A |
Cross-site scripting (XSS) vulnerability in the add credentials functionality in Zoho ManageEngine NetFlow Analyzer v12.3 before 12.3.125 (build 123125) allows remote attackers to inject arbitrary web script or HTML via a crafted description value. This can be exploited through CSRF. | ||||
CVE-2018-10466 | 1 Zohocorp | 1 Manageengine Adaudit Plus | 2024-11-21 | N/A |
Zoho ManageEngine ADAudit Plus before 5.0.0 build 5100 allows blind SQL Injection. | ||||
CVE-2018-10076 | 1 Zohocorp | 1 Manageengine Eventlog Analyzer | 2024-11-21 | N/A |
An issue was discovered in Zoho ManageEngine EventLog Analyzer 11.12. A Cross-Site Scripting vulnerability allows a remote attacker to inject arbitrary web script or HTML via the search functionality (the search box of the Dashboard). | ||||
CVE-2018-10075 | 1 Zohocorp | 1 Manageengine Eventlog Analyzer | 2024-11-21 | N/A |
Cross-site scripting (XSS) vulnerability in Zoho ManageEngine EventLog Analyzer 11.12 allows remote attackers to inject arbitrary web script or HTML via the import logs feature. | ||||
CVE-2017-9376 | 1 Zohocorp | 1 Manageengine Servicedesk Plus | 2024-11-21 | N/A |
ManageEngine ServiceDesk Plus before 9314 contains a local file inclusion vulnerability in the defModule parameter in DefaultConfigDef.do and AssetDefaultConfigDef.do. | ||||
CVE-2017-9362 | 1 Zohocorp | 1 Manageengine Servicedesk Plus | 2024-11-21 | N/A |
ManageEngine ServiceDesk Plus before 9312 contains an XML injection at add Configuration items CMDB API. | ||||
CVE-2017-7213 | 1 Zohocorp | 1 Manageengine Desktop Central | 2024-11-21 | N/A |
Zoho ManageEngine Desktop Central before build 100082 allows remote attackers to obtain control over all connected active desktops via unspecified vectors. | ||||
CVE-2017-17698 | 1 Zohocorp | 1 Manageengine Password Manager Pro | 2024-11-21 | N/A |
Zoho ManageEngine Password Manager Pro 9 before 9.4 (9400) has reflected XSS in SearchResult.ec and BulkAccessControlView.ec. | ||||
CVE-2017-17552 | 1 Zohocorp | 1 Manageengine Admanager Plus | 2024-11-21 | N/A |
/LoadFrame in Zoho ManageEngine AD Manager Plus build 6590 - 6613 allows attackers to conduct URL Redirection attacks via the src parameter, resulting in a bypass of CSRF protection, or potentially masquerading a malicious URL as trusted. | ||||
CVE-2017-16924 | 1 Zohocorp | 1 Manageengine Desktop Central | 2024-11-21 | N/A |
Remote Information Disclosure and Escalation of Privileges in ManageEngine Desktop Central MSP 10.0.137 allows attackers to download unencrypted XML files containing all data for configuration policies via a predictable /client-data/<client_id>/collections/##/usermgmt.xml URL, as demonstrated by passwords and Wi-Fi keys. This is fixed in build 100157. | ||||
CVE-2017-16851 | 1 Zohocorp | 1 Manageengine Applications Manager | 2024-11-21 | N/A |
Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /MyPage.do widgetid parameter. | ||||
CVE-2017-16850 | 1 Zohocorp | 1 Manageengine Applications Manager | 2024-11-21 | N/A |
Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /showresource.do resourceid parameter in a getResourceProfiles action. | ||||
CVE-2017-16849 | 1 Zohocorp | 1 Manageengine Applications Manager | 2024-11-21 | N/A |
Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /MyPage.do?method=viewDashBoard forpage parameter. |