Zohocorp Security Vulnerabilities
Incorrect Access Control in CustomFieldsFeedServlet in Zoho ManageEngine Applications Manager Version 13 before build 13740 allows an attacker to delete any file and read certain files on the server in the context of the user (which by default is "NT AUTHORITY / SYSTEM") by sending a specially craf...
9.1CVSS
8.9AI Score
0.005EPSS
A reflected Cross-site scripting (XSS) vulnerability in Zoho ManageEngine Applications Manager before 13 (Build 13800) allows remote attackers to inject arbitrary web script or HTML via the parameter 'method' to GraphicalView.do.
6.1CVSS
6AI Score
0.006EPSS
Incorrect Access Control in FailOverHelperServlet in Zoho ManageEngine Netflow Analyzer before build 123137, Network Configuration Manager before build 123128, OpManager before build 123148, OpUtils before build 123161, and Firewall Analyzer before build 123147 allows attackers to read certain file...
7.5CVSS
7.4AI Score
0.01EPSS
A reflected Cross-site scripting (XSS) vulnerability in Zoho ManageEngine Netflow Analyzer before build 123137, Network Configuration Manager before build 123128, OpManager before build 123148, OpUtils before build 123161, and Firewall Analyzer before build 123147 allows remote attackers to inject ...
6.1CVSS
6AI Score
0.968EPSS
Incorrect Access Control in AgentTrayIconServlet in Zoho ManageEngine Desktop Central 10.0.255 allows attackers to delete certain files on the web server without login by sending a specially crafted request to the server with a computerName=../ substring to the /agenttrayicon URI.
7.5CVSS
7.4AI Score
0.076EPSS
A SQL Injection vulnerability exists in Zoho ManageEngine Applications Manager 13.x before build 13800 via the j_username parameter in a /j_security_check POST request.
9.8CVSS
9.8AI Score
0.002EPSS
An issue was discovered in Zoho ManageEngine Desktop Central before 10.0.282. A clickable company logo in a window running as SYSTEM can be abused to escalate privileges. In cloud, the issue is fixed in 10.0.470 agent version.
8.8CVSS
8.4AI Score
0.015EPSS
An issue was discovered in the Self Service Portal in Zoho ManageEngine Desktop Central before 10.0.282. A clickable company logo in a window running as SYSTEM can be abused to escalate privileges. In cloud, the issue is fixed in 10.0.470 agent version.
7.8CVSS
7.7AI Score
0.001EPSS
A SQL Injection vulnerability exists in the Zoho ManageEngine Applications Manager 13 before build 13820 via the resids parameter in a /editDisplaynames.do?method=editDisplaynames GET request.
9.8CVSS
9.7AI Score
0.002EPSS
A reflected Cross-site scripting (XSS) vulnerability in Zoho ManageEngine Applications Manager 13 before build 13820 allows remote attackers to inject arbitrary web script or HTML via the /deleteMO.do method parameter.
6.1CVSS
6AI Score
0.003EPSS
Zoho ManageEngine ADManager Plus 6.5.7 has XSS on the "Workflow Delegation" "Requester Roles" screen.
6.1CVSS
6AI Score
0.002EPSS
A serialization vulnerability in Zoho ManageEngine Applications Manager before build 13740 allows for remote code execution on Windows via a payload on an SMB share.
8.1CVSS
8.3AI Score
0.004EPSS
Zoho ManageEngine Desktop Central 10.0.271 has XSS via the "Features & Articles" search field to the /advsearch.do?SUBREQUEST=XMLHTTP URI.
6.1CVSS
5.8AI Score
0.066EPSS
In Zoho ManageEngine SupportCenter Plus before 8.1 Build 8109, there is HTML Injection and Stored XSS via the /ServiceContractDef.do contractName parameter.
6.1CVSS
6AI Score
0.002EPSS
Global Search in Zoho ManageEngine OpManager before 12.3 123205 allows SQL Injection.
9.8CVSS
9.6AI Score
0.015EPSS
Zoho ManageEngine OpManager before 12.3 Build 123196 does not require authentication for /oputilsServlet requests, as demonstrated by a /oputilsServlet?action=getAPIKey request that can be leveraged against Firewall Analyzer to add an admin user via /api/json/v2/admin/addUser or conduct a SQL Injec...
7.5CVSS
8AI Score
0.401EPSS
In Zoho ManageEngine AssetExplorer, a Stored XSS vulnerability was discovered in the 6.2.0 version via the /AssetDef.do ciName or assetName parameter.
6.1CVSS
5.8AI Score
0.066EPSS
6.1CVSS
6.3AI Score
0.002EPSS
Zoho ManageEngine OpManager before 12.3 build 123214 allows Unrestricted Arbitrary File Upload.
9.8CVSS
9.4AI Score
0.022EPSS
6.1CVSS
6.2AI Score
0.001EPSS
6.1CVSS
6AI Score
0.001EPSS
Zoho ManageEngine OpManager 12.3 before 123222 has SQL Injection via Mail Server settings.
9.8CVSS
9.9AI Score
0.041EPSS
An XML External Entity injection (XXE) vulnerability exists in Zoho ManageEngine Network Configuration Manager and OpManager before 12.3.214 via the RequestXML parameter in a /devices/ProcessRequest.do GET request. For example, the attacker can trigger the transmission of local files to an arbitrar...
7.5CVSS
7.6AI Score
0.011EPSS
Zoho ManageEngine ADAudit before 5.1 build 5120 allows remote attackers to cause a denial of service (stack-based buffer overflow) via the 'Domain Name' field when adding a new domain.
7.5CVSS
7.5AI Score
0.006EPSS
Zoho ManageEngine OpManager 12.3 before Build 123223 has XSS via the updateWidget API.
6.1CVSS
6AI Score
0.003EPSS
Zoho ManageEngine ADManager Plus 6.6 Build 6657 allows local users to gain privileges (after a reboot) by placing a Trojan horse file into the permissive bin directory.
7CVSS
6.8AI Score
0.001EPSS
6.1CVSS
6AI Score
0.001EPSS
Zoho ManageEngine OpManager 12.3 before 123238 allows SQL injection via the getGraphData API.
9.8CVSS
9.8AI Score
0.015EPSS
Zoho ManageEngine OpManager 12.3 before build 123239 allows SQL injection in the Alarms section.
9.8CVSS
9.8AI Score
0.028EPSS
Zoho ManageEngine OpManager 12.3 before build 123239 allows XSS in the Notes column of the Alarms section.
6.1CVSS
6AI Score
0.003EPSS
Zoho ManageEngine ADSelfService Plus 5.7 before build 5702 has XSS in the self-update layout implementation.
6.1CVSS
5.9AI Score
0.001EPSS
Zoho ManageEngine ADSelfService Plus 5.7 before build 5702 has XSS in the employee search feature.
6.1CVSS
5.9AI Score
0.001EPSS
Zoho ManageEngine ADSelfService Plus 5.x before build 5701 has XXE via an uploaded product license.
9.8CVSS
9.4AI Score
0.019EPSS
An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 and 10.0.184: directory traversal in the SCRIPT_NAME field when modifying existing scripts.
9.8CVSS
9.4AI Score
0.024EPSS
An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 and 10.0.184: missing authentication/authorization for a database query mechanism.
9.8CVSS
9.4AI Score
0.024EPSS
An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 and 10.0.184: insufficient enforcement of database query type restrictions.
9.8CVSS
9.4AI Score
0.024EPSS
An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 and 10.0.184: database access using a superuser account (specifically, an account with permission to write to the filesystem via SQL queries).
7.2CVSS
7.1AI Score
0.001EPSS
An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 and 10.0.184: a missing server-side check on the file type/extension when uploading and modifying scripts.
9.8CVSS
9.3AI Score
0.016EPSS
An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 and 10.0.184: network services (Desktop Central and PostgreSQL) running with a superuser account.
7.2CVSS
6.9AI Score
0.001EPSS
The custom GINA/CP module in Zoho ManageEngine ADSelfService Plus before 5.5 build 5517 allows remote attackers to execute code and escalate privileges via spoofing. It does not authenticate the intended server before opening a browser window. An unauthenticated attacker capable of conducting a spo...
9.8CVSS
9.8AI Score
0.036EPSS
In Zoho ManageEngine ServiceDesk Plus before 9403, an XSS issue allows an attacker to run arbitrary JavaScript via a /api/request/?OPERATION_NAME= URI, aka SD-69139.
6.1CVSS
5.9AI Score
0.002EPSS
An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3 Build 9317. Unauthenticated users are able to validate domain user accounts by sending a request containing the username to an API endpoint. The endpoint will return the user's logon domain if the accounts exists, or 'null' if it doe...
5.3CVSS
5.2AI Score
0.005EPSS
Cross-site scripting (XSS) in Zoho ManageEngine EventLog Analyzer before 11.12 Build 11120 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
6.1CVSS
6AI Score
0.002EPSS
A remote code execution issue was discovered in Zoho ManageEngine Applications Manager before 13.6 (build 13640). The publicly accessible testCredential.do endpoint takes multiple user inputs and validates supplied credentials by accessing a specified system. This endpoint calls several internal cl...
9.8CVSS
9.8AI Score
0.972EPSS
Zoho ManageEngine EventLog Analyzer version 11.0 build 11000 has Stored XSS related to the index2.do?url=editAlertForm&tab=alert&alert=profile URI and the Edit Alert Profile screen
6.1CVSS
5.9AI Score
0.001EPSS
Zoho ManageEngine Desktop Central version 9.1.0 build 91099 has multiple XSS issues that were fixed in build 92026.
6.1CVSS
6AI Score
0.001EPSS
A stored Cross-site scripting (XSS) vulnerability in Zoho ManageEngine Recovery Manager Plus before 5.3 (Build 5350) allows remote authenticated users (with Add New Technician permissions) to inject arbitrary web script or HTML via the loginName field to technicianAction.do.
5.4CVSS
5AI Score
0.874EPSS
Zoho ManageEngine ServiceDesk 9.3 allows session hijacking and privilege escalation because an established guest session is automatically converted into an established administrator session when the guest user enters the administrator username, with an arbitrary incorrect password, in an mc/ login ...
8.8CVSS
8.8AI Score
0.006EPSS
Information leakage vulnerability in the /mc login page in ManageEngine ServiceDesk Plus 9.3 software allows authenticated users to enumerate active users. Due to a flaw within the way the authentication is handled, an attacker is able to login and verify any active account.
4.3CVSS
5.9AI Score
0.008EPSS
Zoho ManageEngine Remote Access Plus 10.0.258 does not validate user permissions properly, allowing for privilege escalation and eventually a full application takeover.
8.8CVSS
8.9AI Score
0.001EPSS