5124 matches found
Zoho ManageEngine ADSelfService Plus 6121 - Username Enumeration
Zoho ManageEngine ADSelfService Plus 6121 is vulnerable to username enumeration CVE-2022-28987. The Forgot Password functionality responds differently for existing and non-existing users, allowing attackers to enumerate valid usernames. id: CVE-2022-28987 info: name: Zoho ManageEngine ADSelfServi...
Zoho ManageEngine ADSelfService Plus <=6103 - Cross-Site Scripting
Zoho ManageEngine ADSelfService Plus 6103 and prior contains a reflected cross-site scripting vulnerability on the loadframe page. id: CVE-2021-37416 info: name: Zoho ManageEngine ADSelfService Plus 6103 to mitigate this vulnerability. reference: -...
ManageEngine OpManager - Directory Traversal
A directory traversal vulnerability exists in the uploadMib functionality of ManageEngine OpManager 12.7.258. A specially crafted HTTP request can lead to arbitrary file creation. An attacker can send a malicious MiB file to trigger this vulnerability. id: CVE-2023-47211 info: name: ManageEngine...
ManageEngine ADSelfService Plus <6121 - Stored Cross-Site Scripting
ManageEngine ADSelfService Plus before 6121 contains a stored cross-site scripting vulnerability via the welcome name attribute to the Reset Password, Unlock Account, or User Must Change Password screens. id: CVE-2022-24681 info: name: ManageEngine ADSelfService Plus 6121 - Stored Cross-Site...
Zoho ManageEngine OpManager < 12.5.329 - Remote Code Execution
Zoho ManageEngine OpManager before 12.5.329 contains a remote code execution caused by a general bypass in the deserialization class, letting unauthenticated attackers execute arbitrary code, exploit requires no authentication id: CVE-2021-3287 info: name: Zoho ManageEngine OpManager 12.5.329 -...
Zoho ManageEngine - getUserAPIKey Authentication Bypass
Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, Firewall Analyzer, and OpUtils before 2022-07-27 through 2022-07-28 125657, 126002, 126104, and 126118 allow unauthenticated attackers to obtain a user's API key, and then access external...
ManageEngine Firewall Analyzer <8.0 - Local File Inclusion
ManageEngine Firewall Analyzer before 8.0 is vulnerable to local file inclusion. id: CVE-2015-7780 info: name: ManageEngine Firewall Analyzer 8.0 - Local File Inclusion author: daffainfo severity: medium description: ManageEngine Firewall Analyzer before 8.0 is vulnerable to local file inclusion...
Zoho ManageEngine - Internal Hostname Disclosure
Zoho ManageEngine Desktop Central before 10.1.2137.8 exposes the installed server name to anyone. The internal hostname can be discovered by reading HTTP redirect responses. id: CVE-2022-23779 info: name: Zoho ManageEngine - Internal Hostname Disclosure author: cckuailong severity: medium...
ManageEngine Firewall Analyzer 7.2 - Cross-Site Scripting
Multiple cross-site scripting vulnerabilities in ManageEngine Firewall Analyzer 7.2 allow remote attackers to inject arbitrary web script or HTML via the 1 subTab or 2 tab parameter to createAnomaly.do; 3 url, 4 subTab, or 5 tab parameter to mindex.do; 6 tab parameter to index2.do; or 7 port...
ManageEngine ServiceDesk 9.3.9328 - Arbitrary File Retrieval
ManageEngine ServiceDesk 9.3.9328 is vulnerable to an arbitrary file retrieval due to improper restrictions of the pathname used in the name parameter for the download-snapshot path. An unauthenticated remote attacker can use this vulnerability to download arbitrary files. id: CVE-2017-11512 info...
Zoho ManageEngine ServiceDesk Plus - Authentication Bypass
Zoho ManageEngine ServiceDesk Plus before 11302 is vulnerable to authentication bypass that allows a few REST-API URLs without authentication. id: CVE-2021-37415 info: name: Zoho ManageEngine ServiceDesk Plus - Authentication Bypass author: daffainfo,jjcho severity: critical description: | Zoho...
Zoho ManageEngine - Access Control Bypass
Zoho ManageEngine Access Manager Plus before 4302, Password Manager Pro before 12007, and PAM360 before 5401 are vulnerable to access-control bypass on a few Rest API URLs for SSOutAction. SSLAction. LicenseMgr. GetProductDetails. GetDashboard. FetchEvents. and Synchronize via the ../RestAPI...
Zoho ManageEngine OpManger - Arbitrary File Read
Zoho ManageEngine OpManager Stable build before 124196 and Released build before 125125 allows an unauthenticated attacker to read arbitrary files on the server by sending a specially crafted request. id: CVE-2020-12116 info: name: Zoho ManageEngine OpManger - Arbitrary File Read author:...
Zoho ManageEngine ADSelfService Plus v6113 - Unauthenticated Remote Command Execution
Zoho ManageEngine ADSelfService Plus version 6113 and prior are vulnerable to a REST API authentication bypass vulnerability that can lead to remote code execution. id: CVE-2021-40539 info: name: Zoho ManageEngine ADSelfService Plus v6113 - Unauthenticated Remote Command Execution author:...
Zoho ManageEngine Desktop Central - Remote Code Execution
Zoho ManageEngine Desktop Central contains an authentication bypass vulnerability that could allow an attacker to execute arbitrary code in the Desktop Central MSP server. id: CVE-2021-44515 info: name: Zoho ManageEngine Desktop Central - Remote Code Execution author: Adam Crosser severity:...
ManageEngine ADAudit Plus < Build 8703 Account Takeover (CVE-2026-11374)
The version of ManageEngine ADAudit Plus installed on the remote host is prior to build 8703. It is, therefore, affected by an account takeover vulnerability: - The SSO tickets generated to authenticate a session could be predicted by an unauthenticated user, leading to account takeover...
ManageEngine ADSelfService Plus < Build 6529 Account Takeover (CVE-2026-11374)
According to its self-reported version, the ManageEngine ADSelfService Plus application running on the remote host is prior to build 6529. It is, therefore, affected by an account takeover vulnerability: - The SSO tickets generated to authenticate a session could be predicted by an unauthenticate...
CVE-2026-11374
In ManageEngine ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus, the SSO tickets generated to authenticate that session could be predicted by an unauthenticated user, leading to account takeover...
EUVD-2026-38423
In ManageEngine ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus, the SSO tickets generated to authenticate that session could be predicted by an unauthenticated user, leading to account takeover...
CVE-2026-11374 Account Takeover via Predictable SSO Ticket Generation
In ManageEngine ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus, the SSO tickets generated to authenticate that session could be predicted by an unauthenticated user, leading to account takeover...