Remote code execution

Zoho ManageEngine OPManager through 126323 allows an authenticated user to achieve remote code execution via probe servers...

CVE-2023-31099

Zoho ManageEngine OPManager through 126323 allows an authenticated user to achieve remote code execution via probe servers...

CVE-2022-38772

Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, and OpUtils before 125658, 126003, 126105, and 126120 allow authenticated users to make database changes that lead to remote code execution in the NMAP feature...

CVE-2022-37024

Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, and OpUtils before 2022-07-29 through 2022-07-30 125658, 126003, 126105, and 126120 allow authenticated users to make database changes that lead to remote code execution...

Sql injection

The NetFlow Analyzer in Zoho ManageEngine OpManger before 125455 is vulnerable to SQL Injection in the Attacks Module API...

CVE-2020-28653

Zoho ManageEngine OpManager Stable build before 125203 and Released build before 125233 allows Remote Code Execution via the Smart Update Manager SUM servlet...

CVE-2020-13818

In Zoho ManageEngine OpManager before 125144, when is used, directory traversal validation can be bypassed...

CVE-2020-13818

In Zoho ManageEngine OpManager before 125144, when is used, directory traversal validation can be bypassed...

Cross site request forgery (csrf)

Zoho ManageEngine OpManager Stable build before 124196 and Released build before 125125 allows an unauthenticated attacker to read arbitrary files on the server by sending a crafted request...

CVE-2020-12116

Zoho ManageEngine OpManager Stable build before 124196 and Released build before 125125 allows an unauthenticated attacker to read arbitrary files on the server by sending a crafted request...

CVE-2020-11527

In Zoho ManageEngine OpManager before 12.4.181, an unauthenticated remote attacker can send a specially crafted URI to read arbitrary files...

Code injection

In Zoho ManageEngine OpManager before 12.4.181, an unauthenticated remote attacker can send a specially crafted URI to read arbitrary files...

CVE-2017-11561

An issue was discovered in ZOHO ManageEngine OpManager 12.2. An authenticated user can upload any file they want to share in the "Group Chat" or "Alarm" section. This functionality can be abused by a malicious user by uploading a web shell...

CVE-2018-20338

Zoho ManageEngine OpManager 12.3 before build 123239 allows SQL injection in the Alarms section...

CVE-2018-20173

Zoho ManageEngine OpManager 12.3 before 123238 allows SQL injection via the getGraphData API...

CVE-2018-18715

Zoho ManageEngine OpManager 12.3 before 123219 has stored XSS...

CVE-2018-18949

Zoho ManageEngine OpManager 12.3 before 123222 has SQL Injection via Mail Server settings...

CVE-2018-18475

Zoho ManageEngine OpManager before 12.3 build 123214 allows Unrestricted Arbitrary File Upload...

CVE-2018-18475

Zoho ManageEngine OpManager before 12.3 build 123214 allows Unrestricted Arbitrary File Upload...

Design/Logic Flaw

Zoho ManageEngine OpManager 11 through 12.2 uses a custom encryption algorithm to protect the credential used to access the monitored devices. The implemented algorithm doesn't use a per-system key or even a salt; therefore, it's possible to create a universal decryptor...