56 matches found
CVE-2022-36923
CVE-2022-36923 affects Zoho ManageEngine products (OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, Firewall Analyzer, and OpUtils) with an authentication bypass that allows an unauthenticated attacker to retrieve a user’s API key and use external APIs. T...
CVE-2014-7863
The CVE-2014-7863 issue affects the FailOverHelperServlet (FailServlet) in ZOHO ManageEngine OpManager, Applications Manager, and IT360, allowing (1) arbitrary file read via the fileName parameter in a copyfile operation and (2) directory-listing disclosure via listdirectory. Technical details ar...
CVE-2019-12133
CVE-2019-12133 affects multiple Zoho ManageEngine products (Desktop Central, EventLog Analyzer, ServiceDesk Plus, SupportCenter Plus, O365 Manager Plus, Mobile Device Manager Plus, Patch Connect Plus, Vulnerability Manager Plus, Patch Manager Plus, OpManager, NetFlow Analyzer, OpUtils, Network Co...
CVE-2019-15106
Zoho ManageEngine OpManager (builds before 14310) is affected by CVE-2019-15106. The vulnerability allows bypassing the user password requirement and executing commands on the server by using the username@opm password (e.g., admin@opm). This is a remote, unauthenticated command execution with net...
CVE-2022-29535
Summary: CVE-2022-29535 affects Zoho ManageEngine OPManager (version 125588 and prior). Multiple connected sources describe a SQL injection vulnerability that can be exploited via some default reports, enabling remote attackers to execute arbitrary SQL commands. The issue is confirmed across NVD,...
CVE-2020-28653
CVE-2020-28653 affects ManageEngine OpManager SumPDU Java Deserialization in OpManager 12.1–12.5.x prior to build 125203 (released before 125233). The SUMPDU servlet allows unauthenticated remote code execution via deserialization of arbitrary Java objects, enabling remote code execution on the s...
CVE-2023-47211
ManageEngine OpManager 12.7.258 is affected by a directory traversal vulnerability in the uploadMib function. An attacker can send a crafted MiB file via HTTP (via the MiB Browser upload path) and cause arbitrary file creation by manipulating destination file naming (orgMibName) without sufficien...
CVE-2015-7765
CVE-2015-7765 affects ManageEngine OpManager (11.5 build 11600 and earlier) and is rooted in a hardcoded IntegrationUser password: "plugin". The vulnerability allows remote authenticated users to obtain administrator access by leveraging this credential, enabling the exploitation of the applicati...
CVE-2020-12116
Zoho ManageEngine OpManager is affected by CVE-2020-12116. OpManager Stable build prior to 124196 and Released build prior to 125125 allows an unauthenticated attacker to read arbitrary files on the server by sending a specially crafted request, via a directory traversal vulnerability in the appl...
CVE-2020-10541
Zoho ManageEngine OpManager prior to 12.4.179 is affected by a remote code execution vulnerability via a specially crafted Mail Server Settings v1 API request. The issue has a fixed patch in version 12.5.108. Exploitation details are not provided in the connected documents beyond the API request ...
CVE-2020-11527
The CVE-2020-11527 vulnerability affects Zoho ManageEngine OpManager before version 12.4.181. Multiple connected sources corroborate that an unauthenticated remote attacker can trigger a specially crafted URI to read arbitrary files, indicating an information disclosure risk. The Red Hat advisory...
CVE-2014-6034
CVE-2014-6034 affects ManageEngine OpManager (versions 8.8–11.3) and related products (Social IT Plus 11.0, IT360 10.4 and earlier). A directory traversal in the FileCollector servlet, triggered by a ".." in the regionID parameter, allows remote attackers or remote authenticated users to write to...
CVE-2021-3287
CVE-2021-3287 affects Zoho ManageEngine OpManager before 12.5.329. A general bypass in the deserialization class enables unauthenticated remote code execution, allowing an attacker to run arbitrary code with the OpManager application’s privileges (no authentication required). Mitigation: update t...
CVE-2023-31099
Zoho ManageEngine OPManager (versions up to 126323) is affected by a deserialization-based remote code execution vulnerability that can be triggered by an authenticated user via probe servers. This vulnerability allows total impact (CVE-2023-31099) with high severity (CVSS 3.1: AV:N/AC:L/PR:L/UI:...
CVE-2024-5466
CVE-2024-5466 affects Zohocorp ManageEngine OpManager and Remote Monitoring and Management, versions 128329 and below. The vulnerability is an authenticated remote code execution in the deploy agent option, caused by the underlying flaw described across multiple sources. Reported impact is high (...
CVE-2018-17283
Zoho ManageEngine OpManager before 12.3 Build 123196 is affected by an authentication bypass in /oputilsServlet and can be leveraged for SQL injection via /api/json/device/setManaged name parameter or to add an admin user via /api/json/v2/admin/addUser. The vulnerability arises from lack of acces...
CVE-2018-12998
Zoho ManageEngine CVE-2018-12998 is a reflected XSS in multiple products (Netflow Analyzer before build 123137, Network Configuration Manager before 123128, OpManager before 123148, OpUtils before 123161, Firewall Analyzer before 123147) exploitable via the operation parameter to /servlet/com.adv...
CVE-2022-35404
The CVE-2022-35404 entry affects ManageEngine Password Manager Pro (versions 12100 and prior) and OPManager (126100 and prior). The vulnerability enables unauthorized file and directory creation on a server machine, indicating a local impact on availability. Public details in connected documents ...
CVE-2021-20078
CVE-2021-20078 affects ManageEngine OpManager (builds below 125346). A path traversal flaw in the spark gateway component enables remote denial of service by deleting arbitrary directories on the OS. Multiple connected sources (Red Hat, CNVD, CVE registries) confirm the same description; no explo...
CVE-2022-37024
Summary (CVE-2022-37024) : Multiple Zoho ManageEngine products (OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, OpUtils) prior to 2022-07-29 are affected by a remote code execution flaw. The root cause is insufficient input validation in the getDNSResolv...
CVE-2023-6105
Technical details about CVE-2023-6105 are not publicly provided in the supplied documents; monitor for updates.
CVE-2014-6035
CVE-2014-6035 affects ManageEngine OpManager (FileCollector servlet) on OpManager 11.4, 11.3 and earlier. A directory traversal flaw allows remote attackers to write and execute arbitrary files via a .. in the FILENAME parameter; Nessus also notes related issues in regionID handling and potential...
CVE-2022-27908
Zoho ManageEngine OpManager is affected by an authenticated SQL injection in the Inventory Reports module, affecting versions prior to 125588 (and prior to 125603). The vulnerability arises from unsanitized input in the Inventory Reports functionality, enabling an attacker with valid credentials ...
CVE-2014-6036
CVE-2014-6036 is a directory-traversal vulnerability in the multipartRequest servlet used by ManageEngine OpManager and related products (OpManager <= 11.3, Social IT Plus <= 11.0, IT360
CVE-2014-7866
CVE-2014-7866 is a set of remote directory traversal/file-upload vulnerabilities affecting ZOHO ManageEngine OpManager (build 88xx–11.4), IT360 (10.3–10.4), and Social IT Plus (11.0). Exploitation occurs via unauthorized file writes through MigrateLEEData (fileName=..../warfile.war) or MigrateCen...
CVE-2022-38772
Summary: CVE-2022-38772 affects Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, and OpUtils. The issue is a command injection in the getNmapInitialOption function that allows authenticated users to perform database changes leading to re...
CVE-2022-43473
OpManager 12.6.168 isAffected by a blind XXE in Add UCS Device, enabling SSRF via attacker-supplied XML. The vulnerable path is in the UCS discovery flow (POST /client/api/json/discovery/addDevice) where backend requests data to a crafted backend URL and XML is parsed by DocumentBuilder, allowing...
CVE-2017-11559
ZOHO ManageEngine OpManager 12.2 is affected by a Blind SQL Injection in the apiKey parameter of /api/json/admin/getmailserversettings and /api/json/dashboard/gotoverviewlist. Root cause: lack of input validation/exploitation of SQL statements; impact reported as high confidentiality impact (C/H)...
CVE-2018-12997
CVE-2018-12997 affects Zoho ManageEngine products: NetFlow Analyzer, Network Configuration Manager, OpManager, OpUtils, and Firewall Analyzer. The underlying issue is an Incorrect Access Control in FailOverHelperServlet, allowing unauthenticated attackers to read arbitrary server files by sending...
CVE-2014-7864
CVE-2014-7864 affects ZOHO ManageEngine OpManager (versions 8–11.5 build 11400) and IT360 (earlier 10.5). The issue is a blind SQL injection in the FailOverHelperServlet (FailServlet) via parameters in standbyUpdateInCentral, specifically customerName and serverRole, enabling remote attackers (un...
CVE-2017-11560
CVE-2017-11560 affects ZOHO ManageEngine OpManager 12.2. An authenticated user can upload an HTML file via a Google Map integration, which is then rendered in multiple locations and can execute JavaScript in the application. This creates a potential cross-site scripting path through the uploaded ...
CVE-2017-11561
CVE-2017-11561 affects ZOHO ManageEngine OpManager 12.2. An authenticated user can upload arbitrary files in the Group Chat or Alarm sections, enabling potential web shells. The vulnerability arises from insecure file upload handling, allowing an attacker to upload executable content. Public desc...
CVE-2019-17602
Zoho ManageEngine OpManager prior to 12.4 build 124089 is affected. The OPMDeviceDetailsServlet is vulnerable to SQL injection due to lack of validation of externally entered SQL statements in a database-backed application. Depending on configuration, exploitation could be unauthenticated or auth...
CVE-2020-11946
Zoho ManageEngine OpManager versions prior to 125120 are affected by an information-disclosure vulnerability: an unauthenticated user can retrieve an API key via a servlet call. The issue enables access to API keys without authentication, exposing credentials that could be used to interact with t...
CVE-2018-18980
CVE-2018-18980 is an XML External Entity (XXE) vulnerability affecting Zoho ManageEngine Network Configuration Manager and OpManager prior to 12.3.214. The issue arises in the RequestXML parameter processed by a /devices/ProcessRequest.do GET request, which could cause the transmission of local f...
CVE-2021-40493
Zoho ManageEngine OpManager before 125437 is vulnerable to SQL Injection in the Support Diagnostics module via the pollingObject parameter of the getDataCollectionFailureReason API. The issue arises from insufficient validation of HTTP request parameters processed by that method, as described in ...
CVE-2021-44514
OpUtils in Zoho ManageEngine OpManager 12.5 before build 125490 contains an authentication flaw that mishandles access to audit directories, enabling unauthenticated access to sensitive audit areas. CVSS data indicates high to critical impact (C/H, I/H, A/H) with network attack vector and no user...
CVE-2014-7868
CVE-2014-7868 affects ManageEngine OpManager (11.3/11.4), IT360 (10.3/10.4) and Social IT Plus (11.0). The root cause is insufficient input validation of the OPM_BVNAME parameter to the APMBVHandler servlet, enabling remote attackers (authenticated or unauthenticated depending on context) to inje...
CVE-2018-17243
CVE-2018-17243 describes a SQL injection vulnerability in the global search of Zoho ManageEngine OpManager prior to version 12.3 build 123205. The issue arises in the global search feature, enabling attackers to inject arbitrary SQL via input in the affected module. Affected product: ManageEngine...
CVE-2021-41075
The CVE-2021-41075 affects Zoho ManageEngine OpManager’s NetFlow Analyzer prior to build 125455. The vulnerability is a SQL Injection in the Attacks Module API, enabling an attacker to execute arbitrary SQL commands. The issue is confirmed across multiple sources (including Red Hat and CNVD) and ...
CVE-2015-7766
CVE-2015-7766 affects Zoho ManageEngine OpManager 11.6, 11.5 and earlier. The issue in PGSQL:SubmitQuery.do lets remote admins bypass SQL query restrictions by inserting a comment into requests to api/json/admin/SubmitQuery (e.g., "INSERT/**/INTO"). Public references describe this as a SQL query ...
CVE-2018-18715
CVE-2018-18715 affects Zoho ManageEngine OpManager 12.3 before build 123219, where a stored cross-site scripting (XSS) vulnerability exists in the web interface. The connected documents confirm the defect as a stored XSS, but do not provide details on affected modules, versions beyond 12.3, explo...
CVE-2018-19921
CVE-2018-19921 affects Zoho ManageEngine OpManager 12.3 before build 123237. A cross-site scripting (XSS) flaw exists in the domain controller component, exposed via the domainController API. Exploitation could enable a remote attacker to inject script or HTML, potentially compromising user sessi...
CVE-2018-20338
CVE-2018-20338 affects Zoho ManageEngine OpManager 12.3 before build 123239, with a SQL injection in the Alarms section. Root cause indicated as insufficient validation of parameters in HTTP requests, enabling a remote attacker to execute arbitrary SQL and potentially access or alter database inf...
CVE-2018-20173
Zoho ManageEngine OpManager 12.3 is vulnerable to SQL injection via the getGraphData API in versions before 123238. The root cause is insufficient validation of parameters in the getGraphData call, enabling attackers to manipulate SQL queries. Impact documented across sources includes potential a...
CVE-2021-41288
CVE-2021-41288 affects Zoho ManageEngine OpManager (version 125466 and earlier). A SQL injection vulnerability exists in the getReportData API due to insufficient validation of HTTP request parameters, enabling an attacker to manipulate/compromise the application database. NVD lists CVSS vectors:...
CVE-2018-18262
Zoho ManageEngine OpManager 12.3 prior to build 123214 is affected by a cross-site scripting (XSS) vulnerability. The CVE-2018-18262 entry is supported by multiple sources (NVD, CVE records, CNVD/PRION) confirming XSS in OpManager 12.3. The available documents do not provide details on the specif...
CVE-2018-19288
CVE-2018-19288 : Zoho ManageEngine OpManager 12.3 prior to Build 123223 is vulnerable to a Cross-Site Scripting (XSS) flaw via the updateWidget API. The underlying issue is an XSS payload that can be injected through this API, enabling arbitrary script execution in affected sessions. Documented i...
CVE-2019-17421
CVE-2019-17421 affects Zoho ManageEngine OpManager 12.4.072 and Firewall Analyzer 12.4.072, where the packaged Nipper executable has incorrect file permissions. This allows a local attacker to elevate privileges to root by overwriting the executable with a malicious payload. Root-level impact is ...
CVE-2018-18949
CVE-2018-18949 affects Zoho ManageEngine OpManager 12.3 prior to build 123222. The vulnerability is a SQL injection via Mail Server settings caused by insufficient validation of the mailservername, enabling an attacker to breach the database security context. Impact is described as high/critical ...