CVE-2022-26777

Zoho ManageEngine Remote Access Plus before 10.1.2137.15 allows guest users to view license details...

CVE-2022-26653

Zoho ManageEngine Remote Access Plus before 10.1.2137.15 allows guest users to view domain details such as the username and GUID of an administrator...

CVE-2022-35403

Zoho ManageEngine ServiceDesk Plus before 13008, ServiceDesk Plus MSP before 10606, and SupportCenter Plus before 11022 are affected by an unauthenticated local file disclosure vulnerability via ticket-creation email. This also affects Asset Explorer before 6977 with authentication...

CVE-2022-35404

ManageEngine Password Manager Pro 12100 and prior and OPManager 126100 and prior are vulnerable to unauthorized file and directory creation on a server machine...

CVE-2019-18781

An open redirect vulnerability was discovered in Zoho ManageEngine ADSelfService Plus 5.x before 5809 that allows attackers to force users who click on a crafted link to be sent to a specified external site...

CVE-2019-11678

The "default reports" feature in Zoho ManageEngine Firewall Analyzer before 12.3 Build 123218 is vulnerable to SQL Injection...

CVE-2019-11511

Zoho ManageEngine ADSelfService Plus before build 5708 has XSS via the mobile app API...

CVE-2019-11676

The user defined DNS name in Zoho ManageEngine Firewall Analyzer before 12.3 Build 123224 is vulnerable to stored XSS attacks...

CVE-2019-11469

Zoho ManageEngine Applications Manager 12 through 14 allows FaultTemplateOptions.jsp resourceid SQL injection. Subsequently, an unauthenticated user can gain the authority of SYSTEM on the server by uploading a malicious file via the "Execute Program Actions" feature...

CVE-2019-11448

An issue was discovered in Zoho ManageEngine Applications Manager 11.0 through 14.0. An unauthenticated user can gain the authority of SYSTEM on the server due to a PopupSLA.jsp sid SQL injection vulnerability. For example, the attacker can subsequently write arbitrary text to a .vbs file...

CVE-2019-11677

The Custom Report import function in Zoho ManageEngine Firewall Analyzer before 12.3 Build 123224 is vulnerable to XML External Entity XXE Injection...

CVE-2020-24397

An issue was discovered in the client side of Zoho ManageEngine Desktop Central 10.0.0.SP-534. An attacker-controlled server can trigger an integer overflow in InternetSendRequestEx and InternetSendRequestByBitrate that leads to a heap-based buffer overflow and Remote Code Execution with SYSTEM...

CVE-2023-29505

An issue was discovered in Zoho ManageEngine Network Configuration Manager 12.6.165. The WebSocket endpoint allows Cross-site WebSocket hijacking...

CVE-2019-20474

An issue was discovered in Zoho ManageEngine Remote Access Plus 10.0.447. The service to test the mail-server configuration suffers from an authorization issue allowing a user with the Guest role read-only access to use and abuse it. One of the abuses allows performing network and port scan...

CVE-2023-49331

Zoho ManageEngine ADAudit Plus versions below 7271 allows SQL injection in the aggregate reports search option...

CVE-2023-49333

Zoho ManageEngine ADAudit Plus versions below 7271 allows SQL injection in the dashboard graph feature...

CVE-2023-49334

Zoho ManageEngine ADAudit Plus versions below 7271 allows SQL Injection while exporting a full summary report...

CVE-2023-49330

Zoho ManageEngine ADAudit Plus versions below 7271 allows SQL Injection while getting aggregate report data...

CVE-2023-49332

Zoho ManageEngine ADAudit Plus versions below 7271 allows SQL injection while adding file shares...

CVE-2024-41140

Zohocorp ManageEngine Applications Manager versions 174000 and prior are vulnerable to the incorrect authorization in the update user function...