Filtered by vendor Zohocorp
Subscribe
Total
514 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-11685 | 1 Zohocorp | 1 Manageengine Eventlog Analyzer | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple Reflective cross-site scripting (XSS) vulnerabilities in search and display of event data in Zoho ManageEngine Event Log Analyzer 11.4 and 11.5 allow remote attackers to inject arbitrary web script or HTML, as demonstrated by the fName parameter. | |||||
| CVE-2017-14123 | 1 Zohocorp | 1 Manageengine Firewall Analyzer | 2025-04-20 | 9.0 HIGH | 8.8 HIGH |
| Zoho ManageEngine Firewall Analyzer 12200 has an unrestricted File Upload vulnerability in the "Group Chat" section. Any user can upload files with any extensions. By uploading a PHP file to the server, an attacker can cause it to execute in the server context, as demonstrated by /itplus/FileStorage/302/shell.jsp. | |||||
| CVE-2017-16849 | 1 Zohocorp | 1 Manageengine Applications Manager | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /MyPage.do?method=viewDashBoard forpage parameter. | |||||
| CVE-2016-4889 | 1 Zohocorp | 1 Servicedesk Plus | 2025-04-20 | 6.5 MEDIUM | 8.8 HIGH |
| ZOHO ManageEngine ServiceDesk Plus before 9.0 allows remote authenticated guest users to have unspecified impact by leveraging failure to restrict access to unknown functions. | |||||
| CVE-2017-16851 | 1 Zohocorp | 1 Manageengine Applications Manager | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /MyPage.do widgetid parameter. | |||||
| CVE-2015-9107 | 1 Zohocorp | 1 Manageengine Opmanager | 2025-04-20 | 5.0 MEDIUM | 9.8 CRITICAL |
| Zoho ManageEngine OpManager 11 through 12.2 uses a custom encryption algorithm to protect the credential used to access the monitored devices. The implemented algorithm doesn't use a per-system key or even a salt; therefore, it's possible to create a universal decryptor. | |||||
| CVE-2016-1161 | 1 Zohocorp | 1 Password Manager Pro | 2025-04-20 | 6.0 MEDIUM | 8.0 HIGH |
| Cross-site request forgery (CSRF) vulnerability in ManageEngine Password Manager Pro before 8.5 (Build 8500). | |||||
| CVE-2017-17698 | 1 Zohocorp | 1 Manageengine Password Manager Pro | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| Zoho ManageEngine Password Manager Pro 9 before 9.4 (9400) has reflected XSS in SearchResult.ec and BulkAccessControlView.ec. | |||||
| CVE-2017-11686 | 1 Zohocorp | 1 Manageengine Eventlog Analyzer | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| Zoho ManageEngine Event Log Analyzer 11.4 and 11.5 allows remote attackers to obtain an authenticated user's password via XSS vulnerabilities or sniffing non-SSL traffic on the network, because the password is represented in a cookie with a reversible encoding method. | |||||
| CVE-2016-4890 | 1 Zohocorp | 1 Servicedesk Plus | 2025-04-20 | 5.0 MEDIUM | 5.3 MEDIUM |
| ZOHO ManageEngine ServiceDesk Plus before 9.2 uses an insecure method for generating cookies, which makes it easier for attackers to obtain sensitive password information by leveraging access to a cookie. | |||||
| CVE-2016-6603 | 1 Zohocorp | 1 Webnms Framework | 2025-04-20 | 5.0 MEDIUM | 9.8 CRITICAL |
| ZOHO WebNMS Framework 5.2 and 5.2 SP1 allows remote attackers to bypass authentication and impersonate arbitrary users via the UserName HTTP header. | |||||
| CVE-2017-16850 | 1 Zohocorp | 1 Manageengine Applications Manager | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /showresource.do resourceid parameter in a getResourceProfiles action. | |||||
| CVE-2017-16542 | 1 Zohocorp | 1 Manageengine Applications Manager | 2025-04-20 | 6.5 MEDIUM | 8.8 HIGH |
| Zoho ManageEngine Applications Manager 13 before build 13500 allows Post-authentication SQL injection via the name parameter in a manageApplications.do?method=insert request. | |||||
| CVE-2015-5061 | 1 Zohocorp | 1 Manageengine Assetexplorer | 2025-04-12 | 3.5 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in Zoho ManageEngine AssetExplorer 6.1 service pack 6112 and earlier allows remote authenticated users with permissions to add new vendors to inject arbitrary web script or HTML via the organizationName parameter to VendorDef.do. | |||||
| CVE-2014-5005 | 1 Zohocorp | 1 Manageengine Desktop Central | 2025-04-12 | 7.5 HIGH | N/A |
| Directory traversal vulnerability in ZOHO ManageEngine Desktop Central (DC) before 9 build 90055 allows remote attackers to execute arbitrary code via a .. (dot dot) in the fileName parameter in an LFU action to statusUpdate. | |||||
| CVE-2014-3997 | 1 Zohocorp | 2 Manageengine It360, Manageengine Password Manager Pro | 2025-04-12 | 7.5 HIGH | N/A |
| SQL injection vulnerability in the MetadataServlet servlet in ManageEngine Password Manager Pro (PMP) and Password Manager Pro Managed Service Providers (MSP) edition 5 through 7 build 7003, IT360 and IT360 Managed Service Providers (MSP) edition before 10.3.3 build 10330, and possibly other ManageEngine products, allows remote attackers or remote authenticated users to execute arbitrary SQL commands via the sv parameter to MetadataServlet.dat. | |||||
| CVE-2014-6043 | 1 Zohocorp | 1 Manageengine Eventlog Analyzer | 2025-04-12 | 6.5 MEDIUM | N/A |
| ZOHO ManageEngine EventLog Analyzer 9.0 build 9002 and 8.2 build 8020 does not properly restrict access to the database browser, which allows remote authenticated users to obtain access to the database via a direct request to event/runQuery.do. Fixed in Build 10000. | |||||
| CVE-2015-1479 | 1 Zohocorp | 1 Servicedesk Plus | 2025-04-12 | 6.5 MEDIUM | N/A |
| SQL injection vulnerability in reports/CreateReportTable.jsp in ZOHO ManageEngine ServiceDesk Plus (SDP) before 9.0 build 9031 allows remote authenticated users to execute arbitrary SQL commands via the site parameter. | |||||
| CVE-2014-6034 | 1 Zohocorp | 3 Manageengine It360, Manageengine Opmanager, Manageengine Social It Plus | 2025-04-12 | 5.0 MEDIUM | N/A |
| Directory traversal vulnerability in the com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector servlet in ZOHO ManageEngine OpManager 8.8 through 11.3, Social IT Plus 11.0, and IT360 10.4 and earlier allows remote attackers or remote authenticated users to write to and execute arbitrary WAR files via a .. (dot dot) in the regionID parameter. | |||||
| CVE-2014-0344 | 1 Zohocorp | 1 Manageengine Opstor | 2025-04-12 | 6.5 MEDIUM | N/A |
| Properties.do in ZOHO ManageEngine OpStor before build 8500 does not properly check privilege levels, which allows remote authenticated users to obtain Admin access by using the name parameter in conjunction with a true value of the edit parameter. | |||||