Filtered by vendor Zohocorp
Subscribe
Total
460 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-40176 | 1 Zohocorp | 1 Manageengine Log360 | 2021-09-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| Zoho ManageEngine Log360 before Build 5225 allows stored XSS. | |||||
| CVE-2021-40172 | 1 Zohocorp | 1 Manageengine Log360 | 2021-09-01 | 6.8 MEDIUM | 8.8 HIGH |
| Zoho ManageEngine Log360 before Build 5219 allows a CSRF attack on proxy settings. | |||||
| CVE-2021-33617 | 1 Zohocorp | 1 Manageengine Password Manager Pro | 2021-08-10 | 5.0 MEDIUM | 5.3 MEDIUM |
| Zoho ManageEngine Password Manager Pro before 11.2 11200 allows login/AjaxResponse.jsp?RequestType=GetUserDomainName&userName= username enumeration, because the response (to a failed login request) is null only when the username is invalid. | |||||
| CVE-2021-36772 | 1 Zohocorp | 1 Manageengine Admanager Plus | 2021-07-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| Zoho ManageEngine ADManager Plus before 7110 allows stored XSS. | |||||
| CVE-2021-36771 | 1 Zohocorp | 1 Manageengine Admanager Plus | 2021-07-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| Zoho ManageEngine ADManager Plus before 7110 allows reflected XSS. | |||||
| CVE-2021-20108 | 1 Zohocorp | 1 Manageengine Assetexplorer | 2021-07-28 | 5.0 MEDIUM | 7.5 HIGH |
| Manage Engine Asset Explorer Agent 1.0.34 listens on port 9000 for incoming commands over HTTPS from Manage Engine Server. The HTTPS certificates are not verified which allows any arbitrary user on the network to send commands over port 9000. While these commands may not be executed (due to authtoken validation), the Asset Explorer agent will reach out to the manage engine server for an HTTP request. During this process, AEAgent.cpp allocates 0x66 bytes using "malloc". This memory is never free-ed in the program, causing a memory leak. Additionally, the instruction sent to aeagent (ie: NEWSCAN, DELTASCAN, etc) is converted to a unicode string, but is never freed. These memory leaks allow a remote attacker to exploit a Denial of Service scenario through repetitively sending these commands to an agent and eventually crashing it the agent due to an out-of-memory condition. | |||||
| CVE-2019-19800 | 1 Zohocorp | 1 Manageengine Applications Manager | 2021-07-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| Zoho ManageEngine Applications Manager 14 before 14520 allows a remote unauthenticated attacker to disclose OS file names via FailOverHelperServlet. | |||||
| CVE-2020-15594 | 1 Zohocorp | 1 Application Control Plus | 2021-07-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| An SSRF issue was discovered in Zoho Application Control Plus before version 10.0.511. The mail gateway configuration feature allows an attacker to perform a scan in order to discover open ports on a machine as well as available machines on the network segment on which the instance of the product is deployed. | |||||
| CVE-2020-15595 | 1 Zohocorp | 1 Application Control Plus | 2021-07-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| An issue was discovered in Zoho Application Control Plus before version 10.0.511. The Element Configuration feature (to configure elements included in the scope of elements managed by the product) allows an attacker to retrieve the entire list of the IP ranges and subnets configured in the product and consequently obtain information about the cartography of the internal networks to which the product has access. | |||||
| CVE-2020-29658 | 1 Zohocorp | 1 Manageengine Applications Control Plus | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| Zoho ManageEngine Application Control Plus before 100523 has an insecure SSL configuration setting for Nginx, leading to Privilege Escalation. | |||||
| CVE-2020-13154 | 1 Zohocorp | 1 Manageengine Servicedesk Plus | 2021-07-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| Zoho ManageEngine Service Plus before 11.1 build 11112 allows low-privilege authenticated users to discover the File Protection password via a getFileProtectionSettings call to AjaxServlet. | |||||
| CVE-2020-11532 | 1 Zohocorp | 2 Manageengine Adaudit Plus, Manageengine Datasecurity Plus | 2021-07-21 | 10.0 HIGH | 9.8 CRITICAL |
| Zoho ManageEngine DataSecurity Plus prior to 6.0.1 uses default admin credentials to communicate with a DataEngine Xnode server. This allows an attacker to bypass authentication for this server and execute all operations in the context of admin user. | |||||
| CVE-2020-24397 | 1 Zohocorp | 1 Manageengine Desktop Central | 2021-07-21 | 9.0 HIGH | 7.2 HIGH |
| An issue was discovered in the client side of Zoho ManageEngine Desktop Central 10.0.0.SP-534. An attacker-controlled server can trigger an integer overflow in InternetSendRequestEx and InternetSendRequestByBitrate that leads to a heap-based buffer overflow and Remote Code Execution with SYSTEM privileges. | |||||
| CVE-2020-11527 | 1 Zohocorp | 1 Manageengine Opmanager | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| In Zoho ManageEngine OpManager before 12.4.181, an unauthenticated remote attacker can send a specially crafted URI to read arbitrary files. | |||||
| CVE-2019-16962 | 1 Zohocorp | 1 Manageengine Desktop Central | 2021-07-21 | 3.5 LOW | 5.4 MEDIUM |
| Zoho ManageEngine Desktop Central 10.0.430 allows HTML injection via a modified Report Name in a New Custom Report. | |||||
| CVE-2020-12116 | 1 Zohocorp | 1 Manageengine Opmanager | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| Zoho ManageEngine OpManager Stable build before 124196 and Released build before 125125 allows an unauthenticated attacker to read arbitrary files on the server by sending a crafted request. | |||||
| CVE-2020-28050 | 1 Zohocorp | 1 Manageengine Desktop Central | 2021-07-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| Zoho ManageEngine Desktop Central before build 10.0.647 allows a single authentication secret from multiple agents to communicate with the server. | |||||
| CVE-2019-16268 | 1 Zohocorp | 1 Manageengine Remote Access Plus | 2021-07-21 | 3.5 LOW | 4.8 MEDIUM |
| Zoho ManageEngine Remote Access Plus 10.0.259 allows HTML injection via the Description field on the Admin - User Administration userMgmt.do?actionToCall=ShowUser screen. | |||||
| CVE-2020-8540 | 1 Zohocorp | 1 Manageengine Desktop Central | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| An XML external entity (XXE) vulnerability in Zoho ManageEngine Desktop Central before the 07-Mar-2020 update allows remote unauthenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request. | |||||
| CVE-2020-8422 | 1 Zohocorp | 1 Manageengine Remote Access Plus | 2021-07-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| An authorization issue was discovered in the Credential Manager feature in Zoho ManageEngine Remote Access Plus before 10.0.450. A user with the Guest role can extract the collection of all defined credentials of remote machines: the credential name, credential type, user name, domain/workgroup name, and description (but not the password). | |||||