Zoho
Monthly
Stored XSS vulnerability in Zoho ZeptoMail transmail WordPress plugin through version 3.3.1 can be triggered via Cross-Site Request Forgery (CSRF), allowing unauthenticated attackers to inject malicious scripts that persist in the application and execute in the browsers of all users who access affected pages. The vulnerability affects the transmail plugin for Zoho Mail integration and carries low exploitation probability (EPSS 0.02%) despite the high-impact nature of stored XSS.
A deserialization vulnerability in CRM Perks Integration for Contact Form 7 and Zoho CRM (CVSS 9.8). Critical severity with potential for significant impact on affected systems.
Zohocorp ManageEngine ADAudit Plus versions 8510 and prior contain an authenticated SQL injection vulnerability in the alerts module (CWE-89) that allows authenticated users to execute arbitrary SQL commands. An attacker with valid credentials can exploit this network-accessible vulnerability to read sensitive data, modify database contents, or degrade system availability. The CVSS 8.3 score reflects high confidentiality and integrity impact, though authentication is required; real-world exploitation probability and active weaponization status cannot be confirmed without KEV/EPSS data access.
Critical remote code execution vulnerability in Zohocorp ManageEngine Exchange Reporter Plus versions 5721 and prior, exploitable through the Content Search module without authentication. An attacker can achieve arbitrary code execution with high confidentiality, integrity, and availability impact across the system boundary (CVSS 9.6). This vulnerability requires user interaction (UI=R) and involves improper file upload handling (CWE-434); active exploitation status and POC availability require verification through CISA KEV and public disclosures.
CVE-2025-36528 is an authenticated SQL injection vulnerability in Zohocorp ManageEngine ADAudit Plus versions 8510 and earlier, affecting the Service Account Auditing reports functionality. An authenticated attacker with low privileges can exploit this vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized data disclosure, data modification, or partial denial of service. With a CVSS score of 8.3 and network-accessible attack vector, this represents a significant risk to organizations using affected versions, particularly in environments where administrative audit logs contain sensitive credentials and access patterns.
A SQL injection vulnerability (CVSS 8.3). High severity vulnerability requiring prompt remediation.
Stored XSS vulnerability in Zoho ZeptoMail transmail WordPress plugin through version 3.3.1 can be triggered via Cross-Site Request Forgery (CSRF), allowing unauthenticated attackers to inject malicious scripts that persist in the application and execute in the browsers of all users who access affected pages. The vulnerability affects the transmail plugin for Zoho Mail integration and carries low exploitation probability (EPSS 0.02%) despite the high-impact nature of stored XSS.
A deserialization vulnerability in CRM Perks Integration for Contact Form 7 and Zoho CRM (CVSS 9.8). Critical severity with potential for significant impact on affected systems.
Zohocorp ManageEngine ADAudit Plus versions 8510 and prior contain an authenticated SQL injection vulnerability in the alerts module (CWE-89) that allows authenticated users to execute arbitrary SQL commands. An attacker with valid credentials can exploit this network-accessible vulnerability to read sensitive data, modify database contents, or degrade system availability. The CVSS 8.3 score reflects high confidentiality and integrity impact, though authentication is required; real-world exploitation probability and active weaponization status cannot be confirmed without KEV/EPSS data access.
Critical remote code execution vulnerability in Zohocorp ManageEngine Exchange Reporter Plus versions 5721 and prior, exploitable through the Content Search module without authentication. An attacker can achieve arbitrary code execution with high confidentiality, integrity, and availability impact across the system boundary (CVSS 9.6). This vulnerability requires user interaction (UI=R) and involves improper file upload handling (CWE-434); active exploitation status and POC availability require verification through CISA KEV and public disclosures.
CVE-2025-36528 is an authenticated SQL injection vulnerability in Zohocorp ManageEngine ADAudit Plus versions 8510 and earlier, affecting the Service Account Auditing reports functionality. An authenticated attacker with low privileges can exploit this vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized data disclosure, data modification, or partial denial of service. With a CVSS score of 8.3 and network-accessible attack vector, this represents a significant risk to organizations using affected versions, particularly in environments where administrative audit logs contain sensitive credentials and access patterns.
A SQL injection vulnerability (CVSS 8.3). High severity vulnerability requiring prompt remediation.