Filtered by vendor Zohocorp
Subscriptions
Total
482 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2018-9163 | 1 Zohocorp | 1 Manageengine Recovery Manager Plus | 2024-08-05 | N/A |
| A stored Cross-site scripting (XSS) vulnerability in Zoho ManageEngine Recovery Manager Plus before 5.3 (Build 5350) allows remote authenticated users (with Add New Technician permissions) to inject arbitrary web script or HTML via the loginName field to technicianAction.do. | ||||
| CVE-2018-8722 | 1 Zohocorp | 1 Manageengine Desktop Central | 2024-08-05 | N/A |
| Zoho ManageEngine Desktop Central version 9.1.0 build 91099 has multiple XSS issues that were fixed in build 92026. | ||||
| CVE-2018-8721 | 1 Zohocorp | 1 Manageengine Eventlog Analyzer | 2024-08-05 | N/A |
| Zoho ManageEngine EventLog Analyzer version 11.0 build 11000 has Stored XSS related to the index2.do?url=editAlertForm&tab=alert&alert=profile URI and the Edit Alert Profile screen | ||||
| CVE-2018-7890 | 1 Zohocorp | 1 Manageengine Applications Manager | 2024-08-05 | N/A |
| A remote code execution issue was discovered in Zoho ManageEngine Applications Manager before 13.6 (build 13640). The publicly accessible testCredential.do endpoint takes multiple user inputs and validates supplied credentials by accessing a specified system. This endpoint calls several internal classes, and then executes a PowerShell script. If the specified system is OfficeSharePointServer, then the username and password parameters to this script are not validated, leading to Command Injection. | ||||
| CVE-2018-7405 | 1 Zohocorp | 1 Manageengine Eventlog Analyzer | 2024-08-05 | N/A |
| Cross-site scripting (XSS) in Zoho ManageEngine EventLog Analyzer before 11.12 Build 11120 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | ||||
| CVE-2018-7248 | 1 Zohocorp | 1 Manageengine Servicedesk Plus | 2024-08-05 | 5.3 Medium |
| An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3 Build 9317. Unauthenticated users are able to validate domain user accounts by sending a request containing the username to an API endpoint. The endpoint will return the user's logon domain if the accounts exists, or 'null' if it does not. | ||||
| CVE-2018-5799 | 1 Zohocorp | 1 Manageengine Servicedesk Plus | 2024-08-05 | N/A |
| In Zoho ManageEngine ServiceDesk Plus before 9403, an XSS issue allows an attacker to run arbitrary JavaScript via a /api/request/?OPERATION_NAME= URI, aka SD-69139. | ||||
| CVE-2018-5353 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2024-08-05 | 9.8 Critical |
| The custom GINA/CP module in Zoho ManageEngine ADSelfService Plus before 5.5 build 5517 allows remote attackers to execute code and escalate privileges via spoofing. It does not authenticate the intended server before opening a browser window. An unauthenticated attacker capable of conducting a spoofing attack can redirect the browser to gain execution in the context of the WinLogon.exe process. If Network Level Authentication is not enforced, the vulnerability can be exploited via RDP. Additionally, if the web server has a misconfigured certificate then no spoofing attack is required | ||||
| CVE-2018-5341 | 1 Zohocorp | 1 Manageengine Desktop Central | 2024-08-05 | N/A |
| An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 and 10.0.184: a missing server-side check on the file type/extension when uploading and modifying scripts. | ||||
| CVE-2018-5339 | 1 Zohocorp | 1 Manageengine Desktop Central | 2024-08-05 | N/A |
| An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 and 10.0.184: insufficient enforcement of database query type restrictions. | ||||
| CVE-2018-5338 | 1 Zohocorp | 1 Manageengine Desktop Central | 2024-08-05 | N/A |
| An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 and 10.0.184: missing authentication/authorization for a database query mechanism. | ||||
| CVE-2018-5342 | 1 Zohocorp | 1 Manageengine Desktop Central | 2024-08-05 | N/A |
| An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 and 10.0.184: network services (Desktop Central and PostgreSQL) running with a superuser account. | ||||
| CVE-2018-5337 | 1 Zohocorp | 1 Manageengine Desktop Central | 2024-08-05 | N/A |
| An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 and 10.0.184: directory traversal in the SCRIPT_NAME field when modifying existing scripts. | ||||
| CVE-2018-5340 | 1 Zohocorp | 1 Manageengine Desktop Central | 2024-08-05 | N/A |
| An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 and 10.0.184: database access using a superuser account (specifically, an account with permission to write to the filesystem via SQL queries). | ||||
| CVE-2019-20474 | 1 Zohocorp | 1 Manageengine Remote Access Plus | 2024-08-05 | 4.3 Medium |
| An issue was discovered in Zoho ManageEngine Remote Access Plus 10.0.447. The service to test the mail-server configuration suffers from an authorization issue allowing a user with the Guest role (read-only access) to use and abuse it. One of the abuses allows performing network and port scan operations of the localhost or the hosts on the same network segment, aka SSRF. | ||||
| CVE-2019-19800 | 1 Zohocorp | 1 Manageengine Applications Manager | 2024-08-05 | 5.3 Medium |
| Zoho ManageEngine Applications Manager 14 before 14520 allows a remote unauthenticated attacker to disclose OS file names via FailOverHelperServlet. | ||||
| CVE-2019-19799 | 1 Zohocorp | 1 Manageengine Applications Manager | 2024-08-05 | 5.3 Medium |
| Zoho ManageEngine Applications Manager before 14600 allows a remote unauthenticated attacker to disclose license related information via WieldFeedServlet servlet. | ||||
| CVE-2019-19774 | 1 Zohocorp | 1 Manageengine Eventlog Analyzer | 2024-08-05 | 8.8 High |
| An issue was discovered in Zoho ManageEngine EventLog Analyzer 10.0 SP1 before Build 12110. By running "select hostdetails from hostdetails" at the /event/runquery.do endpoint, it is possible to bypass the security restrictions that prevent even administrative users from viewing credential data stored in the database, and recover the MD5 hashes of the accounts used to authenticate the ManageEngine platform to the managed machines on the network (most often administrative accounts). Specifically, this bypasses these restrictions: a query cannot mention password, and a query result cannot have a password column. | ||||
| CVE-2019-19650 | 1 Zohocorp | 1 Manageengine Applications Manager | 2024-08-05 | 8.8 High |
| Zoho ManageEngine Applications Manager before 13640 allows a remote authenticated SQL injection via the Agent servlet agentid parameter to the Agent.java process function. | ||||
| CVE-2019-19649 | 1 Zohocorp | 1 Manageengine Applications Manager | 2024-08-05 | 9.8 Critical |
| Zoho ManageEngine Applications Manager before 13620 allows a remote unauthenticated SQL injection via the SyncEventServlet eventid parameter to the SyncEventServlet.java doGet function. | ||||