zohocorp CVE Vulnerabilities & Metrics

Zohocorp ManageEngine ADAudit Plus versions below 8123 are vulnerable to SQL Injection in the reports module.

Zohocorp ManageEngine SharePoint Manager Plus versions 4503 and prior are vulnerable to authenticated XML External Entity (XXE) in the Management option.

Zohocorp ManageEngine ADManager Plus versions 7203 and prior are vulnerable to Privilege Escalation in the Modify Computers option.

Zohocorp ManageEngine Exchange Reporter Plus versions 5718 and prior are vulnerable to authenticated SQL Injection in reports module.

Zohocorp ManageEngine ADAudit Plus versions below 8121 are vulnerable to SQL Injection in Technician reports option.

Zohocorp ManageEngine ADManager Plus versions 7241 and prior are vulnerable to SQL Injection in Archived Audit Report.

Zohocorp ManageEngine ADAudit Plus versions below 8121 are vulnerable to SQL Injection in the technician reports feature.

Zohocorp ManageEngine Exchange Reporter Plus versions before 5715 are vulnerable to SQL Injection in the reports module.

Zohocorp ManageEngine Password Manager Pro versions before 12431 and ManageEngine PAM360 versions before 7001 are affected by authenticated SQL Injection vulnerability via a global search option.

An Stored Cross-site Scripting vulnerability in request module affects Zohocorp ManageEngine ServiceDesk Plus, ServiceDesk Plus MSP and SupportCenter Plus.This issue affects ServiceDesk Plus versions: through 14810; ServiceDesk Plus MSP: through 14800; SupportCenter Plus: through 14800.

Zohocorp ManageEngine Endpoint Central affected by Incorrect authorization vulnerability in remote office deploy configurations.This issue affects Endpoint Central: before 11.3.2416.04 and before 11.3.2400.25.

Zohocorp ManageEngine ADAudit Plus versions below 8121 are vulnerable to the authenticated SQL injection in extranet lockouts report option.

Zohocorp ManageEngine ADAudit Plus versions below 8000 are vulnerable to the authenticated SQL injection in reports module.

Zohocorp ManageEngine ADAudit Plus versions below 8000 are vulnerable to the authenticated SQL injection in aggregate reports option.

Zohocorp ManageEngine ADAudit Plus versions below 8121 are vulnerable to the authenticated SQL injection in account lockout report.

Zohocorp ManageEngine OpManager and Remote Monitoring and Management versions 128329 and below are vulnerable to the authenticated remote code execution in the deploy agent option.

Zohocorp ManageEngine ADAudit Plus versions below 8000 are vulnerable to the authenticated SQL injection in alerts module.

Zohocorp ManageEngine ADAudit Plus versions below 8000 are vulnerable to the authenticated SQL injection in dashboard. Note: This vulnerability is different from another vulnerability (CVE-2024-36515), both of which have affected ADAudit Plus' dashboard.

Zohocorp ManageEngine ADAudit Plus versions below 8000 are vulnerable to the authenticated SQL injection in dashboard. Note: This vulnerability is different from another vulnerability (CVE-2024-36516), both of which have affected ADAudit Plus' dashboard.

Zohocorp ManageEngine ADAudit Plus versions below 8000 are vulnerable to the authenticated SQL injection in file summary option.

Zohocorp ManageEngine ADAudit Plus versions below 8110 are vulnerable to authenticated SQL Injection in file auditing configuration.

Zohocorp ManageEngine ADAudit Plus versions below 8110 are vulnerable to authenticated SQL Injection in attack surface analyzer's export option.

Zohocorp ManageEngine ADAudit Plus versions below 8003 are vulnerable to authenticated SQL Injection in user session recording.

Zohocorp ManageEngine ADAudit Plus versions below 8003 are vulnerable to authenticated SQL Injection in aggregate reports' search option.

Zohocorp ManageEngine Applications Manager versions 170900 and below are vulnerable to the authenticated admin-only SQL Injection in the Create Monitor feature.

Zohocorp ManageEngine Exchange Reporter Plus versions 5717 and below are vulnerable to the authenticated SQL injection in the monitoring module.

Zohocorp ManageEngine Exchange Reporter Plus versions 5717 and below are vulnerable to the authenticated SQL injection in the reports module.

Zoho ManageEngine PAM360 is vulnerable to Stored XSS vulnerability. This vulnerability is applicable only in the version 6610.

Zoho ManageEngine ADAudit Plus versions 7260 and below allows unauthorized local agent machine users to view the session recordings.

Zoho ManageEngine ADSelfService Plus versions below 6401 are vulnerable to the DOS attack due to the malicious LDAP input.

Zohocorp ManageEngine PAM360 version 6601 is vulnerable to authorization vulnerability which allows a low-privileged user to perform admin actions. Note: This vulnerability affects only the PAM360 6600 version. No other versions are applicable to this vulnerability.

Zoho ManageEngine Exchange Reporter Plus versions 5714 and below are vulnerable to the Authenticated SQL injection in report exporting feature.

ManageEngine ADAudit Plus versions 7270 and below are vulnerable to the Authenticated SQL injection in File-Summary DrillDown. This issue has been fixed and released in version 7271.

ManageEngine ADAudit Plus versions 7270 and below are vulnerable to the Authenticated SQL injection in home Graph-Data.

Zoho ManageEngine ADAudit Plus through 7250 allows SQL Injection in the aggregate report feature.

Zoho ManageEngine ADAudit Plus through 7250 is vulnerable to SQL Injection in the report export option.

Zoho ManageEngine ADAudit Plus before 7270 allows admin users to view names of arbitrary directories via path traversal.

Zoho ManageEngine ServiceDesk Plus MSP before 14504 allows stored XSS (by a low-privileged technician) via a task's name in a time sheet.

ManageEngine ADSelfService Plus versions 6401 and below are vulnerable to the remote code execution due to the improper handling in the load balancer component. Authentication is required in order to exploit this vulnerability.

A directory traversal vulnerability exists in the uploadMib functionality of ManageEngine OpManager 12.7.258. A specially crafted HTTP request can lead to arbitrary file creation. An attacker can send a malicious MiB file to trigger this vulnerability.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Zoho Forms Form plugin for WordPress – Zoho Forms allows Stored XSS.This issue affects Form plugin for WordPress – Zoho Forms: from n/a through 3.0.1.

Zoho ManageEngine RecoveryManager Plus before 6070 allows admin users to execute arbitrary commands via proxy settings.

An information disclosure vulnerability exists in multiple ManageEngine products that can result in encryption keys being exposed. A low-privileged OS user with access to the host where an affected ManageEngine product is installed can view and use the exposed key to decrypt product database passwords. This allows the user to access the ManageEngine product database.

A SSRF vulnerability has been found in ManageEngine Desktop Central affecting version 9.1.0, specifically the /smtpConfig.do component. This vulnerability could allow an authenticated attacker to launch targeted attacks, such as a cross-port attack, service enumeration and other attacks via HTTP requests.

A CRLF injection vulnerability has been found in ManageEngine Desktop Central affecting version 9.1.0. This vulnerability could allow a remote attacker to inject arbitrary HTTP headers and perform HTTP response splitting attacks via the fileName parameter in /STATE_ID/1613157927228/InvSWMetering.pdf.

A CRLF injection vulnerability has been found in ManageEngine Desktop Central affecting version 9.1.0. This vulnerability could allow a remote attacker to inject arbitrary HTTP headers and perform HTTP response splitting attacks via the fileName parameter in /STATE_ID/1613157927228/InvSWMetering.csv.

Zoho ManageEngine ADManager Plus before 7203 allows 2FA bypass (for AuthToken generation) in REST APIs.

Zoho ManageEngine ADManager Plus before Build 7200 allows admin users to execute commands on the host machine.

ManageEngine ADSelfService Plus GINA Client Insufficient Verification of Data Authenticity Authentication Bypass Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of ManageEngine ADSelfService Plus. Authentication is not required to exploit this vulnerability. The specific flaw exists within the Password Reset Portal used by the GINA client. The issue results from the lack of proper authentication of data received via HTTP. An attacker can leverage this vulnerability to bypass authentication and execute code in the context of SYSTEM. Was ZDI-CAN-17009.

Zoho ManageEngine ADManager Plus before 7203 allows Help Desk Technician users to read arbitrary files on the machine where this product is installed.

Zoho ManageEngine Active Directory 360 versions 4315 and below, ADAudit Plus 7202 and below, ADManager Plus 7200 and below, Asset Explorer 6993 and below and 7xxx 7002 and below, Cloud Security Plus 4161 and below, Data Security Plus 6110 and below, Eventlog Analyzer 12301 and below, Exchange Reporter Plus 5709 and below, Log360 5315 and below, Log360 UEBA 4045 and below, M365 Manager Plus 4529 and below, M365 Security Plus 4529 and below, Recovery Manager Plus 6061 and below, ServiceDesk Plus 14204 and below and 143xx 14302 and below, ServiceDesk Plus MSP 14300 and below, SharePoint Manager Plus 4402 and below, and Support Center Plus 14300 and below are vulnerable to 2FA bypass via a few TOTP authenticators. Note: A valid pair of username and password is required to leverage this vulnerability.

Zoho ManageEngine ADManager Plus version 7182 and prior disclosed the default passwords for the account restoration of unauthorized domains to the authenticated users.

Cross Site Scripting (XSS) vulnerability in Query Report feature in Zoho ManageEngine Password Manager Pro version 11001, allows remote attackers to execute arbitrary code and steal cookies via crafted JavaScript payload.

Zoho ManageEngine Applications Manager through 16530 allows reflected XSS while logged in.

The event analysis component in Zoho ManageEngine ADAudit Plus 7.1.1 allows an attacker to bypass audit detection by creating or renaming user accounts with a "$" symbol suffix. NOTE: the vendor states "We do not consider this as a security bug and it's an expected behaviour."

Zoho ManageEngine ADManager Plus through 7201 allow authenticated users to take over another user's account via sensitive information disclosure.

An issue was discovered in Zoho ManageEngine Network Configuration Manager 12.6.165. The WebSocket endpoint allows Cross-site WebSocket hijacking.

Zoho ManageEngine Support Center Plus 14001 and below is vulnerable to stored XSS in the products module.

Zoho ManageEngine ADAudit Plus before 7100 allows XSS via the username field.

Zoho ManageEngine ServiceDesk Plus before 14202, ServiceDesk Plus MSP before 14300, and SupportCenter Plus before 14300 have a privilege escalation vulnerability in the Release module that allows unprivileged users to access the Reminders of a release ticket and make modifications.

Zoho ManageEngine ADManager Plus before 7183 allows admin users to exploit an XXE issue to view files.

Zoho ManageEngine ADSelfService Plus through 6113 has an authentication bypass that can be exploited to steal the domain controller session token for identity spoofing, thereby achieving the privileges of the domain controller administrator. NOTE: the vendor's perspective is that they have "found no evidence or detail of a security vulnerability."

Zoho ManageEngine OPManager through 126323 allows an authenticated user to achieve remote code execution via probe servers.

Static credentials exist in the PostgreSQL data used in ManageEngine Access Manager Plus (AMP) build 4309, ManageEngine Password Manager Pro, and ManageEngine PAM360. These credentials could allow a malicious actor to modify configuration data that would escalate their permissions from that of a low-privileged user to an Administrative user.

Zoho ManageEngine ServiceDesk Plus before 14105, ServiceDesk Plus MSP before 14200, SupportCenter Plus before 14200, and AssetExplorer before 6989 allow SDAdmin attackers to conduct XXE attacks via a crafted server that sends malformed XML from a Reports integration API endpoint.

Zoho ManageEngine Applications Manager before 16400 allows proxy.html DOM XSS.

Zoho ManageEngine ADManager Plus before 7181 allows for authenticated users to exploit command injection via Proxy settings.

Stored Cross site scripting (XSS) vulnerability in Zoho ManageEngine Applications Manager through 16340 allows an unauthenticated user to inject malicious javascript on the incorrect login details page.

Zoho ManageEngine Applications Manager through 16320 allows the admin user to conduct an XXE attack.

Zoho ManageEngine ADSelfService Plus before 6218 allows anyone to conduct a Denial-of-Service attack via the Mobile App Authentication API.

A blind XML External Entity (XXE) vulnerability exists in the Add UCS Device functionality of ManageEngine OpManager 12.6.168. A specially crafted XML file can lead to SSRF. An attacker can serve a malicious XML payload to trigger this vulnerability.

Zoho ManageEngine ADSelfService Plus through 6203 is vulnerable to a brute-force attack that leads to a password reset on IDM applications.

Zoho ManageEngine ServiceDesk Plus through 14104, Asset Explorer through 6987, ServiceDesk Plus MSP before 14000, and Support Center Plus before 14000 allow Denial-of-Service (DoS).

ManageEngine ServiceDesk Plus through 14104, ServiceDesk Plus MSP through 14000, Support Center Plus through 14000, and Asset Explorer through 6987 allow privilege escalation via query reports.

Zoho ManageEngine Desktop Central and Desktop Central MSP before 10.1.2137.2 allow directory traversal via computerName to AgentLogUploadServlet. A remote, authenticated attacker could upload arbitrary code that would be executed when Desktop Central is restarted. (The attacker could authenticate by exploiting CVE-2021-44515.)

The Zoho Forms WordPress plugin before 3.0.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via the comment field when changing the credentials in the Assets.

Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 13 via the comment field when adding a new status comment.

OS Command injection vulnerability in Support Center Plus 11 via Executor in Action when creating new schedules.

Cross Site Scripting (XSS) vulnerability in Zoho Asset Explorer 6.9 via the credential name when creating a new Assets Workstation.

Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via embedding videos in the language component.

Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via PO in the purchase component.

Zoho ManageEngine ServiceDesk Plus MSP before 10611, and 13x before 13004, is vulnerable to authentication bypass when LDAP authentication is enabled.

Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache Santuario xmlsec (aka XML Security for Java) 1.4.1, because the xmlsec XSLT features, by design in that version, make the application responsible for certain security protections, and the ManageEngine applications did not provide those protections. This affects Access Manager Plus before 4308, Active Directory 360 before 4310, ADAudit Plus before 7081, ADManager Plus before 7162, ADSelfService Plus before 6211, Analytics Plus before 5150, Application Control Plus before 10.1.2220.18, Asset Explorer before 6983, Browser Security Plus before 11.1.2238.6, Device Control Plus before 10.1.2220.18, Endpoint Central before 10.1.2228.11, Endpoint Central MSP before 10.1.2228.11, Endpoint DLP before 10.1.2137.6, Key Manager Plus before 6401, OS Deployer before 1.1.2243.1, PAM 360 before 5713, Password Manager Pro before 12124, Patch Manager Plus before 10.1.2220.18, Remote Access Plus before 10.1.2228.11, Remote Monitoring and Management (RMM) before 10.1.41. ServiceDesk Plus before 14004, ServiceDesk Plus MSP before 13001, SupportCenter Plus before 11026, and Vulnerability Manager Plus before 10.1.2220.18. Exploitation is only possible if SAML SSO has ever been configured for a product (for some products, exploitation requires that SAML SSO is currently active).

Zoho ManageEngine Exchange Reporter Plus before 5708 allows attackers to conduct XXE attacks.

Zoho ManageEngine Access Manager Plus before 4309, Password Manager Pro before 12210, and PAM360 before 5801 are vulnerable to SQL Injection.

An issue was discovered in the endpoint protection agent in Zoho ManageEngine Device Control Plus 10.1.2228.15. Despite configuring complete restrictions on USB pendrives, USB HDD devices, memory cards, USB connections to mobile devices, etc., it is still possible to bypass the USB restrictions by booting into Safe Mode. This allows a file to be exchanged outside the laptop/system. Safe Mode can be launched by any user (even without admin rights). Data exfiltration can occur, and also malware might be introduced onto the system. NOTE: the vendor's position is "it's not a vulnerability in our product."

An issue was discovered in the endpoint protection agent in Zoho ManageEngine Device Control Plus 10.1.2228.15. Despite configuring complete restrictions on USB pendrives, USB HDD devices, memory cards, USB connections to mobile devices, etc., it is still possible to bypass the USB restrictions by making use of a virtual machine (VM). This allows a file to be exchanged outside the laptop/system. VMs can be created by any user (even without admin rights). The data exfiltration can occur without any record in the audit trail of Windows events on the host machine. NOTE: the vendor's position is "it's not a vulnerability in our product."

Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulnerable to a validation bypass that allows users to access sensitive data via the report module.

Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulnerable to an XML External Entity attack that leads to Information Disclosure.

Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulnerable to authenticated command injection. This can be exploited by high-privileged users.

Zoho ManageEngine ADManager Plus through 7151 allows authenticated admin users to execute the commands in proxy settings.

Zoho ManageEngine SupportCenter Plus through 11024 allows low-privileged users to view the organization users list.

Zoho ManageEngine Password Manager Pro before 12122, PAM360 before 5711, and Access Manager Plus before 4306 allow SQL Injection (in a different software component relative to CVE-2022-43671.

Zoho ManageEngine Password Manager Pro before 12122, PAM360 before 5711, and Access Manager Plus before 4306 allow SQL Injection.

In Zoho ManageEngine Mobile Device Manager Plus before 10.1.2207.5, the User Administration module allows privilege escalation.

Zoho ManageEngine ServiceDesk Plus MSP before 10609 and SupportCenter Plus before 11025 are vulnerable to privilege escalation. This allows users to obtain sensitive data during an exportMickeyList export of requests from the list view.

Auth. (subscriber+) Arbitrary Options Update vulnerability in Zoho CRM Lead Magnet plugin <= 1.7.5.8 on WordPress.

Zoho ManageEngine Password Manager Pro through 12120 before 12121, PAM360 through 5550 before 5600, and Access Manager Plus through 4304 before 4305 have multiple SQL injection vulnerabilities.

Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, and OpUtils before 125658, 126003, 126105, and 126120 allow authenticated users to make database changes that lead to remote code execution in the NMAP feature.

Directory Traversal vulnerability ZDBQAREFSUBDIR parameter in /zropusermgmt API in Zoho ManageEngine Analytics Plus before 4350 allows remote attackers to run arbitrary code.

Out-of-Band XML External Entity (OOB-XXE) vulnerability in Zoho ManageEngine Analytics Plus before 4.3.5 allows remote attackers to read arbitrary files, enumerate folders and scan internal ports via crafted XML license file.

Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, and OpUtils before 2022-07-29 through 2022-07-30 ( 125658, 126003, 126105, and 126120) allow authenticated users to make database changes that lead to remote code execution.

Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, Firewall Analyzer, and OpUtils before 2022-07-27 through 2022-07-28 (125657, 126002, 126104, and 126118) allow unauthenticated attackers to obtain a user's API key, and then access external APIs.

In Zoho ManageEngine SupportCenter Plus before 11023, V3 API requests are vulnerable to authentication bypass. (An API request may, in effect, be executed with the credentials of a user who authenticated in the past.)

Zoho ManageEngine Password Manager Pro before 12101 and PAM360 before 5510 are vulnerable to unauthenticated remote code execution. (This also affects ManageEngine Access Manager Plus before 4303 with authentication.)

ManageEngine Password Manager Pro 12100 and prior and OPManager 126100 and prior are vulnerable to unauthorized file and directory creation on a server machine.

Zoho ManageEngine ServiceDesk Plus before 13008, ServiceDesk Plus MSP before 10606, and SupportCenter Plus before 11022 are affected by an unauthenticated local file disclosure vulnerability via ticket-creation email. (This also affects Asset Explorer before 6977 with authentication.)

Zoho ManageEngine ADSelfService Plus before 6203 allows a denial of service (application restart) via a crafted payload to the Mobile App Deployment API.

Zoho ManageEngine ServiceDesk Plus MSP before 10604 allows path traversal (to WEBINF/web.xml from sample/WEB-INF/web.xml or sample/META-INF/web.xml).

ManageEngine AppManager15 (Build No:15510) allows an authenticated admin user to upload a DLL file to perform a DLL hijack attack inside the 'working' folder through the 'Upload Files / Binaries' functionality.

Zoho ManageEngine ADSelfService Plus before 6202 allows attackers to perform username enumeration via a crafted POST request to /ServletAPI/accounts/login.

Zoho ManageEngine OPManager through 125588 allows SQL Injection via a few default reports.

Zoho ManageEngine Access Manager Plus before 4302, Password Manager Pro before 12007, and PAM360 before 5401 are vulnerable to access-control bypass on a few Rest API URLs (for SSOutAction. SSLAction. LicenseMgr. GetProductDetails. GetDashboard. FetchEvents. and Synchronize) via the ../RestAPI substring.

Zoho ManageEngine ADSelfService Plus before 6121, ADAuditPlus 7060, Exchange Reporter Plus 5701, and ADManagerPlus 7131 allow NTLM Hash disclosure during certain storage-path configuration steps.

Zoho ManageEngine ADSelfService Plus before build 6122 allows a remote authenticated administrator to execute arbitrary operating OS commands as SYSTEM via the policy custom script feature. Due to the use of a default administrator password, attackers may be able to abuse this functionality with minimal effort. Additionally, a remote and partially authenticated attacker may be able to inject arbitrary commands into the custom script due to an unsanitized password field.

Zoho ManageEngine OpManager before 125588 (and before 125603) is vulnerable to authenticated SQL Injection in the Inventory Reports module.

Zoho ManageEngine Remote Access Plus before 10.1.2137.15 allows guest users to view license details.

Zoho ManageEngine Remote Access Plus before 10.1.2137.15 allows guest users to view domain details (such as the username and GUID of an administrator).

Zoho ManageEngine ADSelfService Plus before 6121 allows XSS via the welcome name attribute to the Reset Password, Unlock Account, or User Must Change Password screen.

Cewolf in Zoho ManageEngine ADAudit Plus before 7060 is vulnerable to an unauthenticated XXE attack that leads to Remote Code Execution.

Zoho ManageEngine SupportCenter Plus before 11020 allows Stored XSS in the request history.

Zoho ManageEngine ServiceDesk Plus before 13001 allows anyone to know the organisation's default currency name.

Zoho ManageEngine ADAudit Plus before 7055 allows authenticated Privilege Escalation on Integrated products. This occurs because a password field is present in a JSON response.

An issue was discovered in Zoho ManageEngine Key Manager Plus before 6200. A service exposed by the application allows a user, with the level Operator, to access stored SSL certificates and associated key pairs during export.

Zoho ManageEngine SharePoint Manager Plus before 4329 allows account takeover because authorization is mishandled.

Zoho ManageEngine SharePoint Manager Plus before 4329 is vulnerable to a sensitive data leak that leads to privilege escalation.

Zoho ManageEngine Desktop Central before 10.1.2137.8 exposes the installed server name to anyone. The internal hostname can be discovered by reading HTTP redirect responses.

An issue was discovered in Zoho ManageEngine Key Manager Plus 6.1.6. A user, with the level Operator, can see all SSH servers (and user information) even if no SSH server or user is associated to the operator.

Zoho ManageEngine Desktop Central before 10.1.2137.10 allows an authenticated user to change any user's login password.

A Cross-site scripting (XSS) vulnerability in Secondary Email Field in Zoho ManageEngine ServiceDesk Plus 11.3 Build 11306 allows an attackers to inject arbitrary JavaScript code.

Zoho ManageEngine Desktop Central before 10.1.2137.9 and Desktop Central MSP before 10.1.2137.9 allow attackers to bypass authentication, and read sensitive information or upload an arbitrary ZIP archive to the server.

Zoho ManageEngine O365 Manager Plus before Build 4416 allows remote code execution via BCP file overwrite through the ChangeDBAPI component.

Zoho ManageEngine CloudSecurityPlus before Build 4117 allows remote code execution through the updatePersonalizeSettings component due to an improper security patch for CVE-2021-40175.

Zoho ManageEngine M365 Manager Plus before Build 4419 allows remote command execution when updating proxy settings through the Admin ProxySettings and Tenant ProxySettings components.

A vulnerability in the showReports module of Zoho ManageEngine Applications Manager before build 14550 allows authenticated attackers to execute a SQL injection via a crafted request.

Zoho ManageEngine Desktop Central before 10.0.662 allows authenticated users to obtain sensitive information from the database by visiting the Reports page.

Zoho ManageEngine Desktop Central before 10.0.662, during startup, launches an executable file from the batch files, but this file's path might not be properly defined.

Zoho ManageEngine Desktop Central before 10.0.662 allows remote code execution by an authenticated user who has complete access to the Reports module.

ManageEngine ADSelfService Plus below build 6116 stores the password policy file for each domain under the html/ web root with a predictable filename based on the domain name. When ADSSP is configured with multiple Windows domains, a user from one domain can obtain the password policy for another domain by authenticating to the service and then sending a request specifying the password policy file of the other domain.

ManageEngine ADSelfService Plus below build 6116 contains an observable response discrepancy in the UMCP operation of the ChangePasswordAPI. This allows an unauthenticated remote attacker to determine whether a Windows domain user exists.

Zoho ManageEngine ServiceDesk Plus before 12003 allows authentication bypass in certain admin configurations.

Zoho ManageEngine PAM360 before build 5303 allows attackers to modify a few aspects of application state because of a filter bypass in which authentication is not required.

Zoho ManageEngine Access Manager Plus before 4203 allows anyone to view a few data elements (e.g., access control details) and modify a few aspects of the application state.

Zoho ManageEngine ServiceDesk Plus MSP before 10.5 Build 10534 is vulnerable to unauthenticated remote code execution due to a filter bypass in which authentication is not required.

Zoho ManageEngine Desktop Central is vulnerable to authentication bypass, leading to remote code execution on the server, as exploited in the wild in December 2021. For Enterprise builds 10.1.2127.17 and earlier, upgrade to 10.1.2127.18. For Enterprise builds 10.1.2128.0 through 10.1.2137.2, upgrade to 10.1.2137.3. For MSP builds 10.1.2127.17 and earlier, upgrade to 10.1.2127.18. For MSP builds 10.1.2128.0 through 10.1.2137.2, upgrade to 10.1.2137.3.

OpUtils in Zoho ManageEngine OpManager 12.5 before 125490 mishandles authentication for a few audit directories.

Zoho ManageEngine Network Configuration Manager before 125488 is vulnerable to command injection due to improper validation in the Ping functionality.

Zoho ManageEngine SupportCenter Plus before 11016 is vulnerable to an SSRF attack in ActionExecutor.

Zoho ManageEngine SupportCenter Plus before 11016 is vulnerable to Reflected XSS in the Accounts module.

Zoho ManageEngine SupportCenter Plus before 11016 is vulnerable to Reflected XSS in the Products module.

Zoho ManageEngine M365 Manager Plus before 4421 is vulnerable to file-upload remote code execution.

Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulnerable to unauthenticated remote code execution. This is related to /RestAPI URLs in a servlet, and ImportTechnicians in the Struts configuration.

Zoho Remote Access Plus Server Windows Desktop binary fixed in version 10.1.2132 is affected by an unauthorized password reset vulnerability. Because of the designed password reset mechanism, any non-admin Windows user can reset the password of the Remote Access Plus Server Admin account.

Zoho Remote Access Plus Server Windows Desktop Binary fixed from 10.1.2121.1 is affected by incorrect access control. The installation directory is vulnerable to weak file permissions by allowing full control for Windows Everyone user group (non-admin or any guest users), thereby allowing privilege escalation, unauthorized password reset, stealing of sensitive data, access to credentials in plaintext, access to registry values, tampering with configuration files, etc.

Zoho ManageEngine ADAudit Plus before 7006 allows attackers to write to, and execute, arbitrary files.

Zoho ManageEngine ADManager Plus before 7115 is vulnerable to a filter bypass that leads to file-upload remote code execution.

Zoho ManageEngine Patch Connect Plus before 90099 is vulnerable to unauthenticated remote code execution.

Zoho ManageEngine Network Configuration Manager before 125465 is vulnerable to SQL Injection in a configuration search.

Zoho ManageEngine Network Configuration Manager before 125465 is vulnerable to SQL Injection in a hardware details search.

An issue was found in /showReports.do Zoho ManageEngine Applications Manager up to 14550, allows attackers to gain escalated privileges via the resourceid parameter.

ManageEngine Log360 Builds < 5235 are affected by an improper access control vulnerability allowing database configuration overwrite. An unauthenticated remote attacker can send a specially crafted message to Log360 to change its backend database to an attacker-controlled database and to force Log360 to restart. An attacker can leverage this vulnerability to achieve remote code execution by replacing files executed by Log360 on startup.

An SSRF issue was discovered in Zoho ManageEngine Applications Manager build 15200.

The NetFlow Analyzer in Zoho ManageEngine OpManger before 125455 is vulnerable to SQL Injection in the Attacks Module API.

Zoho ManageEngine OpManager before 125437 is vulnerable to SQL Injection in the support diagnostics module. This occurs via the pollingObject parameter of the getDataCollectionFailureReason API.

ManageEngine ADManager Plus Build 7111 contains a post-authentication remote code execution vulnerability due to improperly validated file uploads in the Personalization interface.

ManageEngine ADManager Plus Build 7111 contains a post-authentication remote code execution vulnerability due to improperly validated file uploads in the PasswordExpiry interface.

Zoho ManageEngine ADManager Plus before 7110 is vulnerable to blind XXE.

Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution.

Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution.

Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution.

Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution.

Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution.

Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution.

Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution.

Zoho ManageEngine ADManager Plus version 7110 and prior is vulnerable to path traversal which allows copying of files from one directory to another.

Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution.

Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution.

Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution.

Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution.

Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file overwrite leading to remote code execution.

A Cross-Site Scripting (XSS) attack can cause arbitrary code (JavaScript) to run in a user’s browser while the browser is connected to a trusted website. The attack targets your application's users and not the application itself while using your application as the attack's vehicle. The XSS payload executes whenever the user changes the form values or deletes a created form in Zoho CRM Lead Magnet Version 1.7.2.4.

Zoho ManageEngine OpManager version 125466 and below is vulnerable to SQL Injection in the getReportData API.

Zoho ManageEngine Remote Access Plus before 10.1.2121.1 relies on the application's build number to calculate a certain encryption key.

Zoho ManageEngine Remote Access Plus before 10.1.2121.1 has hardcoded credentials associated with resetPWD.xml.

Zoho ManageEngine Remote Access Plus before 10.1.2121.1 has hardcoded credentials for read-only access. The credentials are in the source code that corresponds to the DCBackupRestore JAR archive.

Zoho ManageEngine ADManager Plus version 7110 and prior is vulnerable to unrestricted file upload, leading to remote code execution.

Zoho ManageEngine ADManager Plus before 7111 is vulnerable to unrestricted file which leads to Remote code execution.

Zoho ManageEngine ADManager Plus version 7110 and prior allows account takeover via SSO.

Zoho ManageEngine ADManager Plus version 7110 and prior has a Post-Auth OS command injection vulnerability.

ManageEngine ADManager Plus before 7111 has Pre-authentication RCE vulnerabilities.

ManageEngine ADSelfService Plus before 6112 is vulnerable to domain user account takeover.

Zoho ManageEngine ADSelfService Plus before 6112 is vulnerable to mail spoofing.

Zoho ManageEngine ADSelfService Plus before 6112 is vulnerable to SSRF.

Zoho ManageEngine ADSelfService Plus 6111 and prior is vulnerable to SQL Injection while linking the databases.

Zoho ManageEngine ADSelfService Plus 6111 and prior is vulnerable to linked applications takeover.

Zoho ManageEngine DesktopCentral before 10.0.709 allows anyone to get a valid user's APIKEY without authentication.

Zoho ManageEngine ADSelfService Plus version 6113 and prior is vulnerable to REST API authentication bypass with resultant remote code execution.

Zoho ManageEngine ServiceDesk Plus before 11302 is vulnerable to authentication bypass that allows a few REST-API URLs without authentication.

Zoho ManageEngine ADSelfService Plus 6103 and prior is vulnerable to admin portal access-restriction bypass.

Zoho ManageEngine ADSelfService Plus version 6103 and prior allows CAPTCHA bypass due to improper parameter validation.

Zoho ManageEngine ADSelfService Plus version 6103 and prior is vulnerable to reflected XSS on the loadframe page.

Zoho ManageEngine ADSelfService Plus through 6102 allows unauthenticated remote code execution in non-English editions.

Zoho ManageEngine Log360 before Build 5224 allows stored XSS via the LOGO_PATH key value in the logon settings.

Zoho ManageEngine Log360 before Build 5225 allows remote code execution via BCP file overwrite.

Zoho ManageEngine Log360 before Build 5225 allows stored XSS.

Zoho ManageEngine Log360 before Build 5219 allows unrestricted file upload with resultant remote code execution.

Zoho ManageEngine Log360 before Build 5224 allows a CSRF attack for disabling the logon security settings.

Zoho ManageEngine Cloud Security Plus before Build 4117 allows a CSRF attack on the server proxy settings.

Zoho ManageEngine Log360 before Build 5219 allows a CSRF attack on proxy settings.

A CSV injection vulnerability on the login panel of ManageEngine ADSelfService Plus Version: 6.1 Build No: 6101 can be exploited by an unauthenticated user. The j_username parameter seems to be vulnerable and a reverse shell could be obtained if a privileged user exports "User Attempts Audit Report" as CSV file. Note: The vendor disputes this vulnerability, claiming "This is not a valid vulnerability in our ADSSP product. We don't see this as a security issue at our side.

Zoho ManageEngine Password Manager Pro before 11.2 11200 allows login/AjaxResponse.jsp?RequestType=GetUserDomainName&userName= username enumeration, because the response (to a failed login request) is null only when the username is invalid.

Due to Manage Engine Asset Explorer Agent 1.0.34 not validating HTTPS certificates, an attacker on the network can statically configure their IP address to match the Asset Explorer's Server IP address. This will allow an attacker to send a NEWSCAN request to a listening agent on the network as well as receive the agent's HTTP request verifying its authtoken. In httphandler.cpp, the agent reaching out over HTTP is vulnerable to an Integer Overflow, which can be turned into a Heap Overflow allowing for remote code execution as NT AUTHORITY/SYSTEM on the agent machine. The Integer Overflow occurs when receiving POST response from the Manage Engine server, and the agent calling "HttpQueryInfoW" in order to get the "Content-Length" size from the incoming POST request. This size is taken, but multiplied to a larger amount. If an attacker specifies a Content-Length size of 1073741823 or larger, this integer arithmetic will wrap the value back around to smaller integer, then calls "calloc" with this size to allocate memory. The following API "InternetReadFile" will copy the POST data into this buffer, which will be too small for the contents, and cause heap overflow.

Due to the Asset Explorer agent not validating HTTPS certificates, an attacker on the network can statically configure their IP address to match the Asset Explorer's Server IP address. This will allow an attacker to send a NEWSCAN request to a listening agent on the network as well as receive the agent's HTTP request verifying its authtoken. In AEAgent.cpp, the agent responding back over HTTP is vulnerable to a Heap Overflow if the POST payload response is too large. The POST payload response is converted to Unicode using vswprintf. This is written to a buffer only 0x2000 bytes big. If POST payload is larger, then heap overflow will occur.

Manage Engine Asset Explorer Agent 1.0.34 listens on port 9000 for incoming commands over HTTPS from Manage Engine Server. The HTTPS certificates are not verified which allows any arbitrary user on the network to send commands over port 9000. While these commands may not be executed (due to authtoken validation), the Asset Explorer agent will reach out to the manage engine server for an HTTP request. During this process, AEAgent.cpp allocates 0x66 bytes using "malloc". This memory is never free-ed in the program, causing a memory leak. Additionally, the instruction sent to aeagent (ie: NEWSCAN, DELTASCAN, etc) is converted to a unicode string, but is never freed. These memory leaks allow a remote attacker to exploit a Denial of Service scenario through repetitively sending these commands to an agent and eventually crashing it the agent due to an out-of-memory condition.

Zoho ManageEngine ADManager Plus before 7110 allows stored XSS.

Zoho ManageEngine ADManager Plus before 7110 allows reflected XSS.

Zoho ManageEngine ADManager Plus before 7110 allows remote code execution.

Zoho ManageEngine ADSelfService Plus before 6104, in rare situations, allows attackers to obtain sensitive information about the password-sync database application.

Zoho ManageEngine Applications Manager before 15130 is vulnerable to Stored XSS while importing malicious user details (e.g., a crafted user name) from AD.

Zoho ManageEngine ServiceDesk Plus MSP before 10521 is vulnerable to Server-Side Request Forgery (SSRF).

Zoho ManageEngine ServiceDesk Plus MSP before 10522 is vulnerable to Information Disclosure.

Zoho ManageEngine ServiceDesk Plus MSP before 10521 allows an attacker to access internal data.

Zoho ManageEngine ADSelfService Plus through 6101 is vulnerable to unauthenticated Remote Code Execution while changing the password.

In Zoho ManageEngine Password Manager Pro before 11.1 build 11104, attackers are able to retrieve credentials via a browser extension for non-website resource types.

Zoho ManageEngine ServiceDesk Plus MSP before 10519 is vulnerable to a User Enumeration bug due to improper error-message generation in the Forgot Password functionality, aka SDPMSP-15732.

Incomplete List of Disallowed Inputs in ManageEngine ServiceDesk Plus before version 11205 allows a remote, authenticated attacker to execute arbitrary commands with SYSTEM privileges.

Zoho ManageEngine Key Manager Plus before 6001 allows Stored XSS on the user-management page while importing malicious user details from AD.

Zoho ManageEngine ADSelfService Plus before 6104 allows stored XSS on the /webclient/index.html#/directory-search user search page via the e-mail address field.

Zoho ManageEngine Eventlog Analyzer through 12147 is vulnerable to unauthenticated directory traversal via an entry in a ZIP archive. This leads to remote code execution.

Zoho ManageEngine OpManager before 12.5.329 allows unauthenticated Remote Code Execution due to a general bypass in the deserialization class.

Insufficient output sanitization in ManageEngine ServiceDesk Plus before version 11200 and ManageEngine AssetExplorer before version 6800 allows a remote, unauthenticated attacker to conduct persistent cross-site scripting (XSS) attacks by uploading a crafted XML asset file.

Manage Engine OpManager builds below 125346 are vulnerable to a remote denial of service vulnerability due to a path traversal issue in spark gateway component. This allows a remote attacker to remotely delete any directory or directories on the OS.

The MPS Agent in Zoho ManageEngine Desktop Central MSP build MSP build 10.0.486 is vulnerable to DLL Hijacking: dcinventory.exe and dcconfig.exe try to load CSUNSAPI.dll without supplying the complete path. The issue is aggravated because this DLL is missing from the installation, thus making it possible to hijack the DLL and subsequently inject code, leading to an escalation of privilege to NT AUTHORITY\SYSTEM.

Zoho ManageEngine ServiceDesk Plus before 11134 allows an Authentication Bypass (only during SAML login).

Zoho ManageEngine ADManager Plus before 7066 allows XSS.

Zoho ManageEngine Desktop Central before build 10.0.647 allows a single authentication secret from multiple agents to communicate with the server.

A Server-side request forgery (SSRF) vulnerability in the ProductConfig servlet in Zoho ManageEngine ADSelfService Plus through 6013 allows a remote unauthenticated attacker to perform blind HTTP requests or perform a Cross-site scripting (XSS) attack against the administrative interface via an HTTP request, a different vulnerability than CVE-2019-3905.

doFilter in com.adventnet.appmanager.filter.UriCollector in Zoho ManageEngine Applications Manager through 14930 allows an authenticated SQL Injection via the resourceid parameter to showresource.do.

Zoho ManageEngine Remote Access Plus 10.0.259 allows HTML injection via the Description field on the Admin - User Administration userMgmt.do?actionToCall=ShowUser screen.

Zoho ManageEngine OpManager Stable build before 125203 (and Released build before 125233) allows Remote Code Execution via the Smart Update Manager (SUM) servlet.

Zoho ManageEngine Applications Manager before 14 build 14880 allows an authenticated SQL Injection via a crafted Alarmview request.

Zoho ManageEngine Desktop Central 10.0.430 allows HTML injection via a modified Report Name in a New Custom Report.

SQL Injection in Zoho ManageEngine Applications Manager 14 before 14560 allows an attacker to execute commands on the server via the MyPage.do template_resid parameter.

Zoho ManageEngine Applications Manager 14780 and before allows a remote unauthenticated attacker to register managed servers via AAMRequestProcessor servlet.

Zoho ManageEngine Applications Manager version 14740 and prior allows an authenticated SQL Injection via a crafted jsp request in the RCA module.

Zoho ManageEngine Applications Manager version 14740 and prior allows an authenticated SQL Injection via a crafted jsp request in the SAP module.

An issue was discovered in the client side of Zoho ManageEngine Desktop Central 10.0.0.SP-534. An attacker-controlled server can trigger an integer overflow in InternetSendRequestEx and InternetSendRequestByBitrate that leads to a heap-based buffer overflow and Remote Code Execution with SYSTEM privileges.

A design issue was discovered in GetInternetRequestHandle, InternetSendRequestEx and InternetSendRequestByBitrate in the client side of Zoho ManageEngine Desktop Central 10.0.552.W and Remote Access Plus before 10.1.2119.1. By exploiting this issue, an attacker-controlled server can force the client to skip TLS certificate validation, leading to a man-in-the-middle attack against HTTPS and unauthenticated remote code execution.

In Zoho ManageEngine Application Manager 14.7 Build 14730 (before 14684, and between 14689 and 14750), the AlarmEscalation module is vulnerable to unauthenticated SQL Injection attack.

An issue was discovered in Zoho Application Control Plus before version 10.0.511. The Element Configuration feature (to configure elements included in the scope of elements managed by the product) allows an attacker to retrieve the entire list of the IP ranges and subnets configured in the product and consequently obtain information about the cartography of the internal networks to which the product has access.

An SSRF issue was discovered in Zoho Application Control Plus before version 10.0.511. The mail gateway configuration feature allows an attacker to perform a scan in order to discover open ports on a machine as well as available machines on the network segment on which the instance of the product is deployed.

The custom GINA/CP module in Zoho ManageEngine ADSelfService Plus before 5.5 build 5517 allows remote attackers to execute code and escalate privileges via spoofing. It does not authenticate the intended server before opening a browser window. An unauthenticated attacker capable of conducting a spoofing attack can redirect the browser to gain execution in the context of the WinLogon.exe process. If Network Level Authentication is not enforced, the vulnerability can be exploited via RDP. Additionally, if the web server has a misconfigured certificate then no spoofing attack is required

Zoho ManageEngine Applications Manager before 14 build 14730 has no protection against jsp/header.jsp Cross-site Scripting (XSS) .

The REST API in Zoho ManageEngine Applications Manager before build 14740 allows an unauthenticated SQL Injection via a crafted request, leading to Remote Code Execution.

Zoho ManageEngine Applications Manager 14710 and before allows an authenticated admin user to upload a vulnerable jar in a specific location, which leads to remote code execution.

An issue was discovered in Zoho ManageEngine Exchange Reporter Plus before build number 5510, AD360 before build number 4228, ADSelfService Plus before build number 5817, DataSecurity Plus before build number 6033, RecoverManager Plus before build number 6017, EventLog Analyzer before build number 12136, ADAudit Plus before build number 6052, O365 Manager Plus before build number 4334, Cloud Security Plus before build number 4110, ADManager Plus before build number 7055, and Log360 before build number 5166. The remotely accessible Java servlet com.manageengine.ads.fw.servlet.UpdateProductDetails is prone to an authentication bypass. System integration properties can be modified and lead to full ManageEngine suite compromise.

An elevation of privilege vulnerability exists in ManageEngine ADSelfService Plus before build 6003 because it does not properly enforce user privileges associated with a Certificate dialog. This vulnerability could allow an unauthenticated attacker to escalate privileges on a Windows host. An attacker does not require any privilege on the target system in order to exploit this vulnerability. One option is the self-service option on the Windows login screen. Upon selecting this option, the thick-client software is launched, which connects to a remote ADSelfService Plus server to facilitate self-service operations. An unauthenticated attacker having physical access to the host could trigger a security alert by supplying a self-signed SSL certificate to the client. The View Certificate option from the security alert allows an attacker to export a displayed certificate to a file. This can further cascade to a dialog that can open Explorer as SYSTEM. By navigating from Explorer to \windows\system32, cmd.exe can be launched as a SYSTEM.

An issue was discovered in the client side of Zoho ManageEngine Desktop Central 10.0.552.W. An attacker-controlled server can trigger an integer overflow in InternetSendRequestEx and InternetSendRequestByBitrate that leads to a heap-based buffer overflow and Remote Code Execution with SYSTEM privileges. This issue will occur only when untrusted communication is initiated with server. In cloud, Agent will always connect with trusted communication.

Zoho ManageEngine ServiceDesk Plus before 11.1 build 11115 allows remote unauthenticated attackers to change the installation status of deployed agents.

In Zoho ManageEngine OpManager before 125144, when <cachestart> is used, directory traversal validation can be bypassed.

Zoho ManageEngine Service Plus before 11.1 build 11112 allows low-privilege authenticated users to discover the File Protection password via a getFileProtectionSettings call to AjaxServlet.

Default installations of Zoho ManageEngine ServiceDesk Plus 10.0 before 10500 are vulnerable to XSS injected by a workstation local administrator. Using the installed program names of the computer as a vector, the local administrator can execute code on the Manage Engine ServiceDesk administrator side. At "Asset Home > Server > <workstation> > software" the administrator of ManageEngine can control what software is installed on the workstation. This table shows all the installed program names in the Software column. In this field, a remote attacker can inject malicious code in order to execute it when the ManageEngine administrator visualizes this page.

Zoho ManageEngine DataSecurity Plus prior to 6.0.1 uses default admin credentials to communicate with a DataEngine Xnode server. This allows an attacker to bypass authentication for this server and execute all operations in the context of admin user.

The DataEngine Xnode Server application in Zoho ManageEngine DataSecurity Plus prior to 6.0.1 does not validate the database schema name when handling a DR-SCHEMA-SYNC request. This allows an authenticated attacker to execute code in the context of the product by writing a JSP file to the webroot directory via directory traversal.

Zoho ManageEngine OpManager Stable build before 124196 and Released build before 125125 allows an unauthenticated attacker to read arbitrary files on the server by sending a crafted request.

Zoho ManageEngine Desktop Central before 10.0.484 allows authenticated arbitrary file writes during ZIP archive extraction via Directory Traversal in a crafted AppDependency API request.

Zoho ManageEngine OpManager before 125120 allows an unauthenticated user to retrieve an API key via a servlet call.

In Zoho ManageEngine OpManager before 12.4.181, an unauthenticated remote attacker can send a specially crafted URI to read arbitrary files.

Zoho ManageEngine ADSelfService Plus before 5815 allows unauthenticated remote code execution.

Zoho ManageEngine Desktop Central before 10.0.483 allows unauthenticated users to access PDFGenerationServlet, leading to sensitive information disclosure.

An issue was discovered in Zoho ManageEngine AssetExplorer 6.5. During an upgrade of the Windows agent, it does not validate the source and binary downloaded. This allows an attacker on an adjacent network to execute code with NT AUTHORITY/SYSTEM privileges on the agent machines by providing an arbitrary executable via a man-in-the-middle attack.

Zoho ManageEngine Asset Explorer 6.5 does not validate the System Center Configuration Manager (SCCM) database username when dynamically generating a command to schedule scans for SCCM. This allows an attacker to execute arbitrary commands on the AssetExplorer Server with NT AUTHORITY/SYSTEM privileges.

ManageEngine_DesktopCentral.exe in Zoho ManageEngine Desktop Central 10 allows HTML injection on the user administration page via the description of a role.

Zoho ManageEngine Remote Access Plus 10.0.258 does not validate user permissions properly, allowing for privilege escalation and eventually a full application takeover.

Zoho ManageEngine Password Manager Pro through 10.x has a CSV Excel Macro Injection vulnerability via a crafted name that is mishandled by the Export Passwords feature. NOTE: the vendor disputes the significance of this report because they expect CSV risk mitigation to be provided by an external application, and do not plan to add CSV constraints to their own products

Zoho ManageEngine Password Manager Pro 10.4 and prior has no protection against Cross-site Request Forgery (CSRF) attacks, as demonstrated by changing a user's role.

Zoho ManageEngine Applications Manager before 14600 allows a remote unauthenticated attacker to disclose license related information via WieldFeedServlet servlet.

Zoho ManageEngine OpManager before 12.4.179 allows remote code execution via a specially crafted Mail Server Settings v1 API request. This was fixed in 12.5.108.

An XML external entity (XXE) vulnerability in Zoho ManageEngine Desktop Central before the 07-Mar-2020 update allows remote unauthenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request.

In ZOHO Password Manager Pro (PMP) 8.3.0 (Build 8303) and 8.4.0 (Build 8400,8401,8402), underprivileged users can obtain sensitive information (entry password history) via a vulnerable hidden service.

Zoho ManageEngine Desktop Central before 10.0.474 allows remote code execution because of deserialization of untrusted data in getChartImage in the FileStorage class. This is related to the CewolfServlet and MDMLogUploaderServlet servlets.

An issue was discovered in Zoho ManageEngine Remote Access Plus 10.0.447. The service to test the mail-server configuration suffers from an authorization issue allowing a user with the Guest role (read-only access) to use and abuse it. One of the abuses allows performing network and port scan operations of the localhost or the hosts on the same network segment, aka SSRF.

The FailOverHelperServlet (aka FailServlet) servlet in ZOHO ManageEngine Applications Manager before 11.9 build 11912, OpManager 8 through 11.5 build 11400, and IT360 10.5 and earlier does not properly restrict access, which allows remote attackers and remote authenticated users to (1) read arbitrary files via the fileName parameter in a copyfile operation or (2) obtain sensitive information via a directory listing in a listdirectory operation to servlet/FailOverHelperServlet.

Zoho ManageEngine Applications Manager 14 before 14520 allows a remote unauthenticated attacker to disclose OS file names via FailOverHelperServlet.

An authorization issue was discovered in the Credential Manager feature in Zoho ManageEngine Remote Access Plus before 10.0.450. A user with the Guest role can extract the collection of all defined credentials of remote machines: the credential name, credential type, user name, domain/workgroup name, and description (but not the password).

Unrestricted file upload vulnerability in AgentLogUploadServlet in ManageEngine DesktopCentral 7.x and 8.0.0 before build 80293 allows remote attackers to execute arbitrary code by uploading a file with a jsp extension, then accessing it via a direct request to the file in the webroot.

Zoho ManageEngine ServiceDesk Plus 11.0 Build 11007 allows XSS. This issue was fixed in version 11.0 Build 11010, SD-83959.

Directory traversal vulnerability in the agentLogUploader servlet in ZOHO ManageEngine Desktop Central (DC) and Desktop Central Managed Service Providers (MSP) edition before 9 build 90055 allows remote attackers to write to and execute arbitrary files as SYSTEM via a .. (dot dot) in the filename parameter.

ManageEngine EventLog Analyzer version 7 through 9.9 build 9002 has a Credentials Disclosure Vulnerability. Fixed version 10 Build 10000.

Zoho ManageEngine EventLog Analyzer versions 7 through 9.9 build 9002 have a database Information Disclosure Vulnerability. Fixed in EventLog Analyzer 10.0 Build 10000.

An issue was discovered in ManageEngine Applications Manager 14 with Build 14360. Integrated PostgreSQL which is built-in in Applications Manager is prone to attack due to lack of file permission security. The malicious users who are in “Authenticated Users” group can exploit privilege escalation and modify PostgreSQL configuration to execute arbitrary command to escalate and gain full system privilege user access and rights over the system.

An issue was discovered in Zoho ManageEngine ADSelfService Plus 5.6 Build 5607. An exposed service allows an unauthenticated person to retrieve internal information from the system and modify the product installation.

An open redirect vulnerability was discovered in Zoho ManageEngine ADSelfService Plus 5.x before 5809 that allows attackers to force users who click on a crafted link to be sent to a specified external site.

An issue was discovered in Zoho ManageEngine EventLog Analyzer 10.0 SP1 before Build 12110. By running "select hostdetails from hostdetails" at the /event/runquery.do endpoint, it is possible to bypass the security restrictions that prevent even administrative users from viewing credential data stored in the database, and recover the MD5 hashes of the accounts used to authenticate the ManageEngine platform to the managed machines on the network (most often administrative accounts). Specifically, this bypasses these restrictions: a query cannot mention password, and a query result cannot have a password column.

Zoho ManageEngine Applications Manager before 13640 allows a remote authenticated SQL injection via the Agent servlet agentid parameter to the Agent.java process function.

Zoho ManageEngine Applications Manager before 13620 allows a remote unauthenticated SQL injection via the SyncEventServlet eventid parameter to the SyncEventServlet.java doGet function.

Incorrect file permissions on the packaged Nipper executable file in Zoho ManageEngine OpManager 12.4.072 and Firewall Analyzer 12.4.072 allow local users to elevate privileges to root by overwriting this file with a malicious payload.

Zoho ManageEngine ADSelfService Plus 5.x through 5803 has CSRF on the users' profile information page. Users who are attacked with this vulnerability will be forced to modify their enrolled information, such as email and mobile phone, unintentionally. Attackers could use the reset password function and control the system to send the authentication code back to the channel that the attackers own.

An issue was discovered in Zoho ManageEngine OpManager before 12.4 build 124089. The OPMDeviceDetailsServlet servlet is prone to SQL injection. Depending on the configuration, this vulnerability could be exploited unauthenticated or authenticated.

An issue was discovered in Zoho ManageEngine DataSecurity Plus before 5.0.1 5012. An exposed service allows a basic user ("Operator" access level) to access the configuration file of the mail server (except for the password).

AjaxDomainServlet in Zoho ManageEngine ServiceDesk Plus 10 allows User Enumeration. NOTE: the vendor's position is that this is intended functionality

An issue was discovered in Zoho ManageEngine OpManager in builds before 14310. One can bypass the user password requirement and execute commands on the server. The "username+'@opm' string is used for the password. For example, if the username is admin, the password is admin@opm.

An issue was discovered in Zoho ManageEngine Application Manager through 14.2. There is a SQL Injection vulnerability in jsp/NewThresholdConfiguration.jsp via the resourceid parameter. Therefore, a low-authority user can gain the authority of SYSTEM on the server. One can consequently upload a malicious file using the "Execute Program Action(s)" feature.

An issue was discovered in Zoho ManageEngine OpManager through 12.4x. There is a SQL Injection vulnerability in jsp/NewThresholdConfiguration.jsp via the resourceid parameter. Therefore, a low-authority user can gain the authority of SYSTEM on the server. One can consequently upload a malicious file using the "Execute Program Action(s)" feature.

Zoho ManageEngine ServiceDesk Plus 10 before 10509 allows unauthenticated sensitive information leakage during Fail Over Service (FOS) replication, aka SD-79989.

Zoho ManageEngine AssetExplorer 6.2.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing license XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.

Server Side Request Forgery (SSRF) exists in Zoho ManageEngine AssetExplorer version 6.2.0 for the AJaxServlet servlet via a parameter in a URL.

Server Side Request Forgery (SSRF) exists in Zoho ManageEngine AssetExplorer 6.2.0 and before for the ClientUtilServlet servlet via a URL in a parameter.

Zoho ManageEngine ADManager Plus 6.6.5, ADSelfService Plus 5.7, and DesktopCentral 10.0.380 have Insecure Permissions, leading to Privilege Escalation from low level privileges to System.

An issue was discovered in Zoho ManageEngine AssetExplorer. There is XSS via ResourcesAttachments.jsp with the parameter pageName.

An issue was discovered in Zoho ManageEngine AssetExplorer. There is XSS via SoftwareListView.do with the parameter swType or swComplianceType.

An issue was discovered in Zoho ManageEngine AssetExplorer. There is XSS via the RCSettings.do rdsName parameter.

An issue was discovered in Zoho ManageEngine ServiceDesk Plus 10.5. There is XSS via the WorkOrder.do search field.

An issue was discovered in the Purchase component of Zoho ManageEngine ServiceDesk Plus. There is XSS via the SearchN.do search field, a different vulnerability than CVE-2019-12189.

An issue was discovered in Zoho ManageEngine AssetExplorer. There is XSS via the SearchN.do search field.

Multiple Zoho ManageEngine products suffer from local privilege escalation due to improper permissions for the %SYSTEMDRIVE%\ManageEngine directory and its sub-folders. Moreover, the services associated with said products try to execute binaries such as sc.exe from the current directory upon system start. This will effectively allow non-privileged users to escalate privileges to NT AUTHORITY\SYSTEM. This affects Desktop Central 10.0.380, EventLog Analyzer 12.0.2, ServiceDesk Plus 10.0.0, SupportCenter Plus 8.1, O365 Manager Plus 4.0, Mobile Device Manager Plus 9.0.0, Patch Connect Plus 9.0.0, Vulnerability Manager Plus 9.0.0, Patch Manager Plus 9.0.0, OpManager 12.3, NetFlow Analyzer 11.0, OpUtils 11.0, Network Configuration Manager 11.0, FireWall 12.0, Key Manager Plus 5.6, Password Manager Pro 9.9, Analytics Plus 1.0, and Browser Security Plus.

An authentication bypass vulnerability in the password reset functionality in Zoho ManageEngine ADSelfService Plus before 5.0.6 allows an attacker with physical access to gain a shell with SYSTEM privileges via the restricted thick client browser. The attack uses a long sequence of crafted keyboard input.

A SQL injection vulnerability in /client/api/json/v2/nfareports/compareReport in Zoho ManageEngine NetFlow Analyzer 12.3 allows attackers to execute arbitrary SQL commands via the DeviceID parameter.

An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the PurchaseRequest.do serviceRequestId parameter.

An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SearchN.do userConfigID parameter.

An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SolutionSearch.do searchText parameter.

An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SiteLookup.do search field.

In Zoho ManageEngine ADSelfService Plus 5.x through 5704, an authorization.do cross-site Scripting (XSS) vulnerability allows for an unauthenticated manipulation of the JavaScript code by injecting the HTTP form parameter adscsrf. An attacker can use this to capture a user's AD self-service password reset and MFA token.

An issue was discovered in ZOHO ManageEngine OpManager 12.2. By adding a Google Map to the application, an authenticated user can upload an HTML file. This HTML file is then rendered in various locations of the application. JavaScript inside the uploaded HTML is also interpreted by the application. Thus, an attacker can inject a malicious JavaScript payload inside the HTML file and upload it to the application.

An issue was discovered in ZOHO ManageEngine OpManager 12.2. The 'apiKey' parameter of "/api/json/admin/getmailserversettings" and "/api/json/dashboard/gotoverviewlist" is vulnerable to a Blind SQL Injection attack.

An issue was discovered in ZOHO ManageEngine Applications Manager 12.3. It is possible for an unauthenticated user to view the list of domain names and usernames used in a company's network environment via a userconfiguration.do?method=editUser request.

In Zoho ManageEngine Application Manager 13.1 Build 13100, the administrative user has the ability to upload files/binaries that can be executed upon the occurrence of an alarm. An attacker can abuse this functionality by uploading a malicious script that can be executed on the remote system.

In Zoho ManageEngine Application Manager 13.1 Build 13100, an authenticated user, with administrative privileges, has the ability to add a widget on any dashboard. This widget can be a "Utility Widget" with a "Custom HTML or Text" field. Once this widget is created, it will be loaded on the dashboard where it was added. An attacker can abuse this functionality by creating a "Utility Widget" that contains malicious JavaScript code, aka XSS.

In Zoho ManageEngine Application Manager prior to 14.6 Build 14660, the 'haid' parameter of the '/auditLogAction.do' module is vulnerable to a Time-based Blind SQL Injection attack.

An issue was discovered in ZOHO ManageEngine OpManager 12.2. An authenticated user can upload any file they want to share in the "Group Chat" or "Alarm" section. This functionality can be abused by a malicious user by uploading a web shell.

In Zoho ManageEngine ServiceDesk Plus through 10.5, users with the lowest privileges (guest) can view an arbitrary post by appending its number to the SDNotify.do?notifyModule=Solution&mode=E-Mail&notifyTo=SOLFORWARD&id= substring.

An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SearchN.do search field.

An issue was discovered in Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2. XSS exists in the Administration zone /netflow/jspui/selectDevice.jsp file in these GET parameters: param and rtype.

An issue was discovered in Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2. XSS exists in /netflow/jspui/userManagementForm.jsp via these GET parameters: authMeth, passWord, pwd1, and userName.

An issue was discovered in Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2. XSS exists in the Administration zone /netflow/jspui/scheduleConfig.jsp file via these GET parameters: devSrc, emailId, excWeekModify, filterFlag, getFilter, mailReport, mset, popup, rep_schedule, rep_Type, schDesc, schName, schSource, selectDeviceDone, task, val10, and val11.

An issue was discovered in Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2. XSS exists in the Administration zone /netflow/jspui/popup1.jsp file via these GET parameters: bussAlert, customDev, and selSource.

An issue was discovered in Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2. An Absolute Path Traversal vulnerability in the Administration zone, in /netflow/servlet/CReportPDFServlet (via the parameter schFilePath), allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via any file name, such as a schFilePath=C:\boot.ini value.

XSS exists in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 in the Administration zone "/netflow/jspui/linkdownalertConfig.jsp" file in the autorefTime or graphTypes parameter.

XSS exists in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 in the Administration zone "/netflow/jspui/linkdownalertConfig.jsp" file in the groupDesc, groupName, groupID, or task parameter.

The "default reports" feature in Zoho ManageEngine Firewall Analyzer before 12.3 Build 123218 is vulnerable to SQL Injection.

The Custom Report import function in Zoho ManageEngine Firewall Analyzer before 12.3 Build 123224 is vulnerable to XML External Entity (XXE) Injection.

The user defined DNS name in Zoho ManageEngine Firewall Analyzer before 12.3 Build 123224 is vulnerable to stored XSS attacks.

Zoho ManageEngine ADManager Plus 6.6 Build 6657 allows local users to gain privileges (after a reboot) by placing a Trojan horse file into the permissive bin directory.

Zoho ManageEngine ADSelfService Plus before build 5708 has XSS via the mobile app API.

Zoho ManageEngine ServiceDesk 9.3 allows session hijacking and privilege escalation because an established guest session is automatically converted into an established administrator session when the guest user enters the administrator username, with an arbitrary incorrect password, in an mc/ login attempt within a different browser tab.

Zoho ManageEngine Applications Manager 12 through 14 allows FaultTemplateOptions.jsp resourceid SQL injection. Subsequently, an unauthenticated user can gain the authority of SYSTEM on the server by uploading a malicious file via the "Execute Program Action(s)" feature.

An issue was discovered in Zoho ManageEngine Applications Manager 11.0 through 14.0. An unauthenticated user can gain the authority of SYSTEM on the server due to a Popup_SLA.jsp sid SQL injection vulnerability. For example, the attacker can subsequently write arbitrary text to a .vbs file.

Information leakage vulnerability in the /mc login page in ManageEngine ServiceDesk Plus 9.3 software allows authenticated users to enumerate active users. Due to a flaw within the way the authentication is handled, an attacker is able to login and verify any active account.

ManageEngine ServiceDesk Plus before 9314 contains a local file inclusion vulnerability in the defModule parameter in DefaultConfigDef.do and AssetDefaultConfigDef.do.

ManageEngine ServiceDesk Plus before 9312 contains an XML injection at add Configuration items CMDB API.

XSS exists in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 in the Administration zone "/netflow/jspui/linkdownalertConfig.jsp" file in the task parameter.

XSS exists in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 in the Administration zone "/netflow/jspui/index.jsp" file in the view GET parameter or any of these POST parameters: autorefTime, section, snapshot, viewOpt, viewAll, view, or groupSelName. The latter is related to CVE-2009-3903.

XSS exists in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 in the Administration zone "/netflow/jspui/editProfile.jsp" file in the userName parameter.

XSS exists in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 in the Administration zone "/netflow/jspui/addMailSettings.jsp" file in the gF parameter.

An issue was discovered in Zoho ManageEngine ADSelfService Plus 5.x through build 5704. It uses fixed ciphering keys to protect information, giving the capacity for an attacker to decipher any protected data.

An Insecure Direct Object Reference (IDOR) vulnerability exists in Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10007 via an attachment to a request.

Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10012 allows remote attackers to upload arbitrary files via login page customization.

Zoho ManageEngine ADSelfService Plus 5.x before build 5703 has SSRF.

Zoho ManageEngine ADSelfService Plus 5.x before build 5701 has XXE via an uploaded product license.

Zoho ManageEngine ADSelfService Plus 5.7 before build 5702 has XSS in the employee search feature.

Zoho ManageEngine ADSelfService Plus 5.7 before build 5702 has XSS in the self-update layout implementation.

Zoho ManageEngine OpManager 12.3 before build 123239 allows XSS in the Notes column of the Alarms section.

Zoho ManageEngine OpManager 12.3 before build 123239 allows SQL injection in the Alarms section.

Zoho ManageEngine OpManager 12.3 before 123238 allows SQL injection via the getGraphData API.

Zoho ManageEngine ADAudit before 5.1 build 5120 allows remote attackers to cause a denial of service (stack-based buffer overflow) via the 'Domain Name' field when adding a new domain.

Zoho ManageEngine OpManager 12.3 before 123237 has XSS in the domain controller.

Zoho ManageEngine OpManager 12.3 before 123219 has a Self XSS Vulnerability.

Zoho ManageEngine OpManager 12.3 before 123219 has stored XSS.

Zoho ManageEngine OpManager 12.3 before Build 123223 has XSS via the updateWidget API.

An XML External Entity injection (XXE) vulnerability exists in Zoho ManageEngine Network Configuration Manager and OpManager before 12.3.214 via the RequestXML parameter in a /devices/ProcessRequest.do GET request. For example, the attacker can trigger the transmission of local files to an arbitrary remote FTP server.

Zoho ManageEngine OpManager 12.3 before 123222 has SQL Injection via Mail Server settings.

Zoho ManageEngine OpManager before 12.3 build 123214 allows Unrestricted Arbitrary File Upload.

Zoho ManageEngine OpManager 12.3 before build 123214 has XSS.

In Zoho ManageEngine AssetExplorer, a Stored XSS vulnerability was discovered in the 6.2.0 version via the /AssetDef.do ciName or assetName parameter.

A serialization vulnerability in Zoho ManageEngine Applications Manager before build 13740 allows for remote code execution on Windows via a payload on an SMB share.

In Zoho ManageEngine SupportCenter Plus before 8.1 Build 8109, there is HTML Injection and Stored XSS via the /ServiceContractDef.do contractName parameter.

Zoho ManageEngine Desktop Central 10.0.271 has XSS via the "Features & Articles" search field to the /advsearch.do?SUBREQUEST=XMLHTTP URI.

Zoho ManageEngine OpManager before 12.3 Build 123196 does not require authentication for /oputilsServlet requests, as demonstrated by a /oputilsServlet?action=getAPIKey request that can be leveraged against Firewall Analyzer to add an admin user via /api/json/v2/admin/addUser or conduct a SQL Injection attack via the /api/json/device/setManaged name parameter.

Global Search in Zoho ManageEngine OpManager before 12.3 123205 allows SQL Injection.

An issue was discovered in the Self Service Portal in Zoho ManageEngine Desktop Central before 10.0.282. A clickable company logo in a window running as SYSTEM can be abused to escalate privileges. In cloud, the issue is fixed in 10.0.470 agent version.

An issue was discovered in Zoho ManageEngine Desktop Central before 10.0.282. A clickable company logo in a window running as SYSTEM can be abused to escalate privileges. In cloud, the issue is fixed in 10.0.470 agent version.

Zoho ManageEngine ADManager Plus 6.5.7 has XSS on the "Workflow Delegation" "Requester Roles" screen.

A reflected Cross-site scripting (XSS) vulnerability in Zoho ManageEngine Applications Manager 13 before build 13820 allows remote attackers to inject arbitrary web script or HTML via the /deleteMO.do method parameter.

A SQL Injection vulnerability exists in the Zoho ManageEngine Applications Manager 13 before build 13820 via the resids parameter in a /editDisplaynames.do?method=editDisplaynames GET request.

An issue was discovered in Zoho ManageEngine Desktop Central before 100251. By leveraging access to a log file, a context-dependent attacker can obtain (depending on the modules configured) the Base64 encoded Password/Username of AD accounts, the cleartext Password/Username and mail settings of the EAS account (an AD account used to send mail), the cleartext password of recovery_password of Android devices, the cleartext password of account "set", the location of devices enrolled in the platform (with UUID and information related to the name of the person at the location), critical information about all enrolled devices such as Serial Number, UUID, Model, Name, and auth_session_token (usable to spoof a terminal identity on the platform), etc.

An issue was discovered in Zoho ManageEngine Desktop Central before 100230. There is unauthenticated remote access to all log files of a Desktop Central instance containing critical information (private information such as location of enrolled devices, cleartext passwords, patching level, etc.) via a GET request on port 8022, 8443, or 8444.

ManageEngine Applications Manager 12 and 13 before build 13200, allows unserialization of unsafe Java objects. The vulnerability can be exploited by remote user without authentication and it allows to execute remote code compromising the application as well as the operating system. As Application Manager's RMI registry is running with privileges of system administrator, by exploiting this vulnerability an attacker gains highest privileges on the underlying operating system.

ManageEngine Applications Manager 12 and 13 before build 13690 allows an authenticated user, who is able to access /register.do page (most likely limited to administrator), to browse the filesystem and read the system files, including Applications Manager configuration, stored private keys, etc. By default Application Manager is running with administrative privileges, therefore it is possible to access every directory on the underlying operating system.

In ManageEngine Applications Manager 12 and 13 before build 13200, an authenticated user is able to alter all of their own properties, including own group, i.e. changing their group to one with higher privileges like "ADMIN". A user is also able to change properties of another user, e.g. change another user's password.

An issue was discovered in Zoho ManageEngine EventLog Analyzer 11.12. A Cross-Site Scripting vulnerability allows a remote attacker to inject arbitrary web script or HTML via the search functionality (the search box of the Dashboard).

Cross-site scripting (XSS) vulnerability in Zoho ManageEngine EventLog Analyzer 11.12 allows remote attackers to inject arbitrary web script or HTML via the import logs feature.

A SQL Injection vulnerability exists in Zoho ManageEngine Applications Manager 13.x before build 13800 via the j_username parameter in a /j_security_check POST request.

Incorrect Access Control in AgentTrayIconServlet in Zoho ManageEngine Desktop Central 10.0.255 allows attackers to delete certain files on the web server without login by sending a specially crafted request to the server with a computerName=../ substring to the /agenttrayicon URI.

A reflected Cross-site scripting (XSS) vulnerability in Zoho ManageEngine Netflow Analyzer before build 123137, Network Configuration Manager before build 123128, OpManager before build 123148, OpUtils before build 123161, and Firewall Analyzer before build 123147 allows remote attackers to inject arbitrary web script or HTML via the parameter 'operation' to /servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet.

Incorrect Access Control in FailOverHelperServlet in Zoho ManageEngine Netflow Analyzer before build 123137, Network Configuration Manager before build 123128, OpManager before build 123148, OpUtils before build 123161, and Firewall Analyzer before build 123147 allows attackers to read certain files on the web server without login by sending a specially crafted request to the server with the operation=copyfile&fileName= substring.

A reflected Cross-site scripting (XSS) vulnerability in Zoho ManageEngine Applications Manager before 13 (Build 13800) allows remote attackers to inject arbitrary web script or HTML via the parameter 'method' to GraphicalView.do.

Incorrect Access Control in CustomFieldsFeedServlet in Zoho ManageEngine Applications Manager Version 13 before build 13740 allows an attacker to delete any file and read certain files on the server in the context of the user (which by default is "NT AUTHORITY / SYSTEM") by sending a specially crafted request to the server.

Zoho ManageEngine ADAudit Plus before 5.0.0 build 5100 allows blind SQL Injection.

An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3 Build 9317. Unauthenticated users are able to validate domain user accounts by sending a request containing the username to an API endpoint. The endpoint will return the user's logon domain if the accounts exists, or 'null' if it does not.

Cross-site scripting (XSS) vulnerability in the add credentials functionality in Zoho ManageEngine NetFlow Analyzer v12.3 before 12.3.125 (build 123125) allows remote attackers to inject arbitrary web script or HTML via a crafted description value. This can be exploited through CSRF.

An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 and 10.0.184: network services (Desktop Central and PostgreSQL) running with a superuser account.

An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 and 10.0.184: a missing server-side check on the file type/extension when uploading and modifying scripts.

An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 and 10.0.184: database access using a superuser account (specifically, an account with permission to write to the filesystem via SQL queries).

An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 and 10.0.184: insufficient enforcement of database query type restrictions.

An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 and 10.0.184: missing authentication/authorization for a database query mechanism.

An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 and 10.0.184: directory traversal in the SCRIPT_NAME field when modifying existing scripts.

In Zoho ManageEngine ServiceDesk Plus before 9403, an XSS issue allows an attacker to run arbitrary JavaScript via a /api/request/?OPERATION_NAME= URI, aka SD-69139.

Zoho ManageEngine Desktop Central version 9.1.0 build 91099 has multiple XSS issues that were fixed in build 92026.

Zoho ManageEngine EventLog Analyzer version 11.0 build 11000 has Stored XSS related to the index2.do?url=editAlertForm&tab=alert&alert=profile URI and the Edit Alert Profile screen

Cross-site scripting (XSS) in Zoho ManageEngine EventLog Analyzer before 11.12 Build 11120 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

A remote code execution issue was discovered in Zoho ManageEngine Applications Manager before 13.6 (build 13640). The publicly accessible testCredential.do endpoint takes multiple user inputs and validates supplied credentials by accessing a specified system. This endpoint calls several internal classes, and then executes a PowerShell script. If the specified system is OfficeSharePointServer, then the username and password parameters to this script are not validated, leading to Command Injection.

Remote Information Disclosure and Escalation of Privileges in ManageEngine Desktop Central MSP 10.0.137 allows attackers to download unencrypted XML files containing all data for configuration policies via a predictable /client-data/<client_id>/collections/##/usermgmt.xml URL, as demonstrated by passwords and Wi-Fi keys. This is fixed in build 100157.

/LoadFrame in Zoho ManageEngine AD Manager Plus build 6590 - 6613 allows attackers to conduct URL Redirection attacks via the src parameter, resulting in a bypass of CSRF protection, or potentially masquerading a malicious URL as trusted.

The DCPluginServelet servlet in ManageEngine Desktop Central and Desktop Central MSP before build 90109 allows remote attackers to create administrator accounts via an addPlugInUser action.

Zoho ManageEngine Password Manager Pro 9 before 9.4 (9400) has reflected XSS in SearchResult.ec and BulkAccessControlView.ec.

Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /MyPage.do widgetid parameter.

Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /showresource.do resourceid parameter in a getResourceProfiles action.

Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /MyPage.do?method=viewDashBoard forpage parameter.

Zoho ManageEngine Applications Manager 13 allows SQL injection via the /manageConfMons.do groupname parameter.

Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /showresource.do resourceid parameter in a showPlasmaView action.

Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /manageApplications.do?method=AddSubGroup haid parameter.

Zoho ManageEngine Applications Manager 13 before build 13500 allows SQL injection via GraphicalView.do, as demonstrated by a crafted viewProps yCanvas field or viewid parameter.

Zoho ManageEngine Applications Manager 13 before build 13500 allows Post-authentication SQL injection via the name parameter in a manageApplications.do?method=insert request.

The Zoho Site24x7 Mobile Network Poller application before 1.1.5 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a self-signed certificate.

Zoho ManageEngine Firewall Analyzer 12200 has an unrestricted File Upload vulnerability in the "Group Chat" section. Any user can upload files with any extensions. By uploading a PHP file to the server, an attacker can cause it to execute in the server context, as demonstrated by /itplus/FileStorage/302/shell.jsp.

Zoho ManageEngine OpManager 11 through 12.2 uses a custom encryption algorithm to protect the credential used to access the monitored devices. The implemented algorithm doesn't use a per-system key or even a salt; therefore, it's possible to create a universal decryptor.

Manage Engine Desktop Central 9 before build 90135 allows remote attackers to change passwords of users with the Administrator role via an addOrModifyUser operation to servlets/DCOperationsServlet.

Multiple Persistent cross-site scripting (XSS) vulnerabilities in Event log parsing and Display functions in Zoho ManageEngine Event Log Analyzer 11.4 and 11.5 allow remote attackers to inject arbitrary web script or HTML via syslog.

Zoho ManageEngine Event Log Analyzer 11.4 and 11.5 allows remote attackers to obtain an authenticated user's password via XSS vulnerabilities or sniffing non-SSL traffic on the network, because the password is represented in a cookie with a reversible encoding method.

Multiple Reflective cross-site scripting (XSS) vulnerabilities in search and display of event data in Zoho ManageEngine Event Log Analyzer 11.4 and 11.5 allow remote attackers to inject arbitrary web script or HTML, as demonstrated by the fName parameter.

Zoho ManageEngine Desktop Central before build 100092 allows remote attackers to execute arbitrary code via vectors involving the upload of help desk videos.

ManageEngine Firewall Analyzer before 8.0 does not restrict access permissions.

Directory traversal vulnerability in ManageEngine Firewall Analyzer before 8.0.

Zoho ManageEngine Desktop Central before build 100082 allows remote attackers to obtain control over all connected active desktops via unspecified vectors.

Cross-site request forgery (CSRF) vulnerability in ManageEngine Password Manager Pro before 8.5 (Build 8500).

ZOHO ManageEngine ServiceDesk Plus before 9.2 uses an insecure method for generating cookies, which makes it easier for attackers to obtain sensitive password information by leveraging access to a cookie.

Cross-site scripting (XSS) vulnerability in ZOHO ManageEngine ServiceDesk Plus before 9.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

ZOHO WebNMS Framework 5.2 and 5.2 SP1 allows remote attackers to bypass authentication and impersonate arbitrary users via the UserName HTTP header.

ZOHO WebNMS Framework 5.2 and 5.2 SP1 use a weak obfuscation algorithm to store passwords, which allows context-dependent attackers to obtain cleartext passwords by leveraging access to WEB-INF/conf/securitydbData.xml. NOTE: this issue can be combined with CVE-2016-6601 for a remote exploit.

Directory traversal vulnerability in the file download functionality in ZOHO WebNMS Framework 5.2 and 5.2 SP1 allows remote attackers to read arbitrary files via a .. (dot dot) in the fileName parameter to servlets/FetchFile.

Directory traversal vulnerability in the file upload functionality in ZOHO WebNMS Framework 5.2 and 5.2 SP1 allows remote attackers to upload and execute arbitrary JSP files via a .. (dot dot) in the fileName parameter to servlets/FileUploadServlet.

PGSQL:SubmitQuery.do in ZOHO ManageEngine OpManager 11.6, 11.5, and earlier allows remote administrators to bypass SQL query restrictions via a comment in the query to api/json/admin/SubmitQuery, as demonstrated by "INSERT/**/INTO."

ZOHO ManageEngine OpManager 11.5 build 11600 and earlier uses a hardcoded password of "plugin" for the IntegrationUser account, which allows remote authenticated users to obtain administrator access by leveraging knowledge of this password.

ZOHO ManageEngine EventLog Analyzer 10.6 build 10060 and earlier allows remote attackers to bypass intended restrictions and execute arbitrary SQL commands via an allowed query followed by a disallowed one in the query parameter to event/runQuery.do, as demonstrated by "SELECT 1;INSERT INTO." Fixed in Build 11200.

SQL injection vulnerability in the AdvanceSearch.class in AdventNetPassTrix.jar in ManageEngine Password Manager Pro (PMP) before 8.1 Build 8101 allows remote authenticated users to execute arbitrary SQL commands via the ANDOR parameter, as demonstrated by a request to STATE_ID/1425543888647/SQLAdvancedALSearchResult.cc.

Multiple cross-site scripting (XSS) vulnerabilities in Zoho ManageEngine SupportCenter Plus 7.90 allow remote authenticated users to inject arbitrary web script or HTML via the (1) query parameter in the run_query_editor_query module to CustomReportHandler.do, (2) compAcct parameter to jsp/ResetADPwd.jsp, or (3) redirectTo parameter to jsp/CacheScreenWidth.jsp.

Directory traversal vulnerability in Zoho ManageEngine SupportCenter Plus 7.90 allows remote authenticated users to write to arbitrary files via a .. (dot dot) in the component parameter in the Request component to workorder/Attachment.jsp.

Cross-site scripting (XSS) vulnerability in Zoho ManageEngine AssetExplorer 6.1 service pack 6112 and earlier allows remote authenticated users with permissions to add new vendors to inject arbitrary web script or HTML via the organizationName parameter to VendorDef.do.

Cross-site scripting (XSS) vulnerability in Zoho ManageEngine AssetExplorer 6.1 service pack 6112 allows remote attackers to inject arbitrary web script or HTML via a Publisher registry entry, which is not properly handled when the machine is scanned.

Zoho NetFlow Analyzer build 10250 and earlier does not have an off autocomplete attribute for a password field, which makes it easier for remote attackers to obtain access by leveraging an unattended workstation.

Cross-site request forgery (CSRF) vulnerability in Zoho NetFlow Analyzer build 10250 and earlier allows remote attackers to hijack the authentication of administrators.

Cross-site scripting (XSS) vulnerability in Zoho NetFlow Analyzer build 10250 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Zoho NetFlow Analyzer build 10250 and earlier does not check for administrative authorization, which allows remote attackers to obtain sensitive information, modify passwords, or remove accounts by leveraging the guest role.

Multiple cross-site scripting (XSS) vulnerabilities in ZOHO ManageEngine ADManager Plus before 6.2 Build 6270 allow remote attackers to inject arbitrary web script or HTML via the (1) technicianSearchText parameter to the Help Desk Technician page or (2) rolesSearchText parameter to the Help Desk Roles.

SQL injection vulnerability in reports/CreateReportTable.jsp in ZOHO ManageEngine ServiceDesk Plus (SDP) before 9.0 build 9031 allows remote authenticated users to execute arbitrary SQL commands via the site parameter.

Cross-site request forgery (CSRF) vulnerability in ZOHO ManageEngine Desktop Central before 9 build 90130 allows remote attackers to hijack the authentication of administrators for requests that add an administrator account via an addUser action to STATE_ID/1417736606982/roleMgmt.do.

Multiple SQL injection vulnerabilities in the FailOverHelperServlet (aka FailServlet) servlet in ZOHO ManageEngine OpManager 8 through 11.5 build 11400 and IT360 10.5 and earlier allow remote attackers and remote authenticated users to execute arbitrary SQL commands via the (1) customerName or (2) serverRole parameter in a standbyUpdateInCentral operation to servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet.

Multiple cross-site scripting (XSS) vulnerabilities in Zoho ManageEngine SupportCenter Plus 7.9 before hotfix 7941 allow remote attackers to inject arbitrary web script or HTML via the (1) fromCustomer, (2) username, or (3) password parameter to HomePage.do.

Directory traversal vulnerability in ManageEngine SupportCenter Plus 7.9 before 7917 allows remote attackers to read arbitrary files via a ..%2f (dot dot encoded slash) in the attach parameter to WorkOrder.do in the file attachment for a new ticket.

Cross-site scripting (XSS) vulnerability in ZOHO ManageEngine ADSelfService Plus before 5.2 Build 5202 allows remote attackers to inject arbitrary web script or HTML via the name parameter to GroupSubscription.do.

The NativeAppServlet in ManageEngine Desktop Central MSP before 90075 allows remote attackers to execute arbitrary code via a crafted JSON object.

Multiple directory traversal vulnerabilities in ZOHO ManageEngine OpManager 8 (build 88xx) through 11.4, IT360 10.3 and 10.4, and Social IT Plus 11.0 allow remote attackers or remote authenticated users to write and execute arbitrary files via a .. (dot dot) in the (1) fileName parameter to the MigrateLEEData servlet or (2) zipFileName parameter in a downloadFileFromProbe operation to the MigrateCentralData servlet.

SQL injection vulnerability in the MetadataServlet servlet in ManageEngine Password Manager Pro (PMP) and Password Manager Pro Managed Service Providers (MSP) edition 5 through 7 build 7003, IT360 and IT360 Managed Service Providers (MSP) edition before 10.3.3 build 10330, and possibly other ManageEngine products, allows remote attackers or remote authenticated users to execute arbitrary SQL commands via the sv parameter to MetadataServlet.dat.

Multiple SQL injection vulnerabilities in ZOHO ManageEngine OpManager 11.3 and 11.4, IT360 10.3 and 10.4, and Social IT Plus 11.0 allow remote attackers or remote authenticated users to execute arbitrary SQL commands via the (1) OPM_BVNAME parameter in a Delete operation to the APMBVHandler servlet or (2) query parameter in a compare operation to the DataComparisonServlet servlet.

SQL injection vulnerability in the com.manageengine.opmanager.servlet.UpdateProbeUpgradeStatus servlet in ZOHO ManageEngine OpManager 11.3 and 11.4, IT360 10.3 and 10.4, and Social IT Plus 11.0 allows remote attackers or remote authenticated users to execute arbitrary SQL commands via the probeName parameter.

Directory traversal vulnerability in the multipartRequest servlet in ZOHO ManageEngine OpManager 11.3 and earlier, Social IT Plus 11.0, and IT360 10.3, 10.4, and earlier allows remote attackers or remote authenticated users to delete arbitrary files via a .. (dot dot) in the fileName parameter.

Directory traversal vulnerability in the FileCollector servlet in ZOHO ManageEngine OpManager 11.4, 11.3, and earlier allows remote attackers to write and execute arbitrary files via a .. (dot dot) in the FILENAME parameter.

Directory traversal vulnerability in the com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector servlet in ZOHO ManageEngine OpManager 8.8 through 11.3, Social IT Plus 11.0, and IT360 10.4 and earlier allows remote attackers or remote authenticated users to write to and execute arbitrary WAR files via a .. (dot dot) in the regionID parameter.

Directory traversal vulnerability in the DisplayChartPDF servlet in ZOHO ManageEngine Netflow Analyzer 8.6 through 10.2 and IT360 10.3 allows remote attackers and remote authenticated users to read arbitrary files via a .. (dot dot) in the filename parameter.

Multiple absolute path traversal vulnerabilities in ZOHO ManageEngine Netflow Analyzer 8.6 through 10.2 and IT360 10.3 allow remote attackers or remote authenticated users to read arbitrary files via a full pathname in the schFilePath parameter to the (1) CSVServlet or (2) CReportPDFServlet servlet.

SQL injection vulnerability in BulkEditSearchResult.cc in ManageEngine Password Manager Pro (PMP) and Password Manager Pro Managed Service Providers (MSP) edition before 7.1 build 7105 allows remote authenticated users to execute arbitrary SQL commands via the SEARCH_ALL parameter.

Directory traversal vulnerability in the agentUpload servlet in ZOHO ManageEngine EventLog Analyzer 9.0 build 9002 and 8.2 build 8020 allows remote attackers to execute arbitrary code by uploading a ZIP file which contains an executable file with .. (dot dot) sequences in its name, then accessing the executable via a direct request to the file under the web root. Fixed in Build 11072.

Directory traversal vulnerability in ZOHO ManageEngine Desktop Central (DC) before 9 build 90055 allows remote attackers to execute arbitrary code via a .. (dot dot) in the fileName parameter to mdm/mdmLogUploader.

Directory traversal vulnerability in ZOHO ManageEngine Desktop Central (DC) before 9 build 90055 allows remote attackers to execute arbitrary code via a .. (dot dot) in the fileName parameter in an LFU action to statusUpdate.

ZOHO ManageEngine EventLog Analyzer 9.0 build 9002 and 8.2 build 8020 does not properly restrict access to the database browser, which allows remote authenticated users to obtain access to the database via a direct request to event/runQuery.do. Fixed in Build 10000.

Multiple cross-site scripting (XSS) vulnerabilities in event/index2.do in ManageEngine EventLog Analyzer before 9.0 build 9002 allow remote attackers to inject arbitrary web script or HTML via the (1) width, (2) height, (3) url, (4) helpP, (5) tab, (6) module, (7) completeData, (8) RBBNAME, (9) TC, (10) rtype, (11) eventCriteria, (12) q, (13) flushCache, or (14) product parameter. Fixed in Build 11072.

Cross-site scripting (XSS) vulnerability in ZOHO ManageEngine EventLog Analyzer 9 build 9000 allows remote attackers to inject arbitrary web script or HTML via the j_username parameter to event/j_security_check. Fixed in Version 10 Build 10000.

Cross-site scripting (XSS) vulnerability in Properties.do in ZOHO ManageEngine OpStor before build 8500 allows remote authenticated users to inject arbitrary web script or HTML via the name parameter, a different vulnerability than CVE-2014-0344.

Properties.do in ZOHO ManageEngine OpStor before build 8500 does not properly check privilege levels, which allows remote authenticated users to obtain Admin access by using the name parameter in conjunction with a true value of the edit parameter.

Multiple cross-site scripting (XSS) vulnerabilities in ManageEngine AssetExplorer 5.6 before service pack 5614 allow remote attackers to inject arbitrary web script or HTML via fields in XML asset data to discoveryServlet/WsDiscoveryServlet, as demonstrated by the DocRoot/Computer_Information/output element.

Multiple cross-site scripting (XSS) vulnerabilities in EmployeeSearch.cc in ZOHO ManageEngine ADSelfService Plus 4.5 Build 4521 allow remote attackers to inject arbitrary web script or HTML via the (1) searchType and (2) searchString parameters, a different vulnerability than CVE-2010-3274.

Cross-site scripting (XSS) vulnerability in jsp/admin/tools/remote_share.jsp in ManageEngine ADManager Plus 4.4.0 allows remote attackers to inject arbitrary web script or HTML via the computerName parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

Cross-site scripting (XSS) vulnerability in report/ReportViewAction.do in WebNMS Free Edition 5 allows remote attackers to inject arbitrary web script or HTML via the type parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.