Skip to main content

Zoho

455 CVEs product

Monthly

CVE-2025-5017 MEDIUM This Month

Time-based blind SQL injection in the Catalyst Connect Zoho CRM Client Portal WordPress plugin (all versions ≤ 2.2.0) enables authenticated administrators to exfiltrate arbitrary data from the underlying WordPress database via the unsanitized 'uid' parameter. The CVSS vector (PR:H) confirms exploitation requires administrator-level credentials, meaningfully constraining the attack surface. A public proof-of-concept is available on GitHub (BFS-Lab/BFSDV), and no confirmed patch version has been identified in available intelligence at time of analysis.

WordPress SQLi Zoho Catalyst Connect Zoho Crm Client Portal
NVD GitHub VulDB
CVSS 3.1
4.9
EPSS
0.3%
CVE-2026-11374 CRITICAL PATCH Act Now

Account takeover in ManageEngine ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus is possible because SSO session-authentication tickets are generated with insufficient randomness and can be predicted by an unauthenticated remote attacker. Successful prediction lets the attacker impersonate arbitrary users and gain full session-level confidentiality, integrity, and availability impact (CVSS 9.0). No public exploit identified at time of analysis, but the issue is acknowledged in the vendor advisory.

Zoho Information Disclosure Manageengine Adselfservice Plus Manageengine Recovery Manager Plus Manageengine M365 Manager Plus +1
NVD VulDB
CVSS 3.1
9.0
EPSS
1.2%
CVE-2026-8174 MEDIUM PATCH This Month

Cross-site request forgery in the Zoho Mail WordPress plugin (all versions before 1.6.2) enables a remote attacker to perform unauthorized, integrity-impacting actions on behalf of an authenticated WordPress user without their knowledge. The CVSS 5.7 medium score reflects high integrity impact with no confidentiality or availability exposure, requiring low-privilege victim authentication and user interaction. No public exploit code exists and no active exploitation has been identified; EPSS sits at the 1st percentile and SSVC classifies exploitation status as none.

CSRF Zoho WordPress Zoho Mail Wordpress Plugin
NVD
CVSS 3.1
5.7
EPSS
0.0%
CVE-2026-2740 HIGH PATCH This Week

Authenticated remote code execution affects Zoho ManageEngine ADSelfService Plus (before build 6525), DataSecurity Plus (before 6264), and RecoveryManager Plus (before 6313) on agent machines, stemming from a flaw in a bundled third-party dependency. An authenticated attacker with low privileges can inject commands (CWE-77) to execute arbitrary code on managed agent endpoints, with no public exploit identified at time of analysis.

RCE Zoho Command Injection
NVD VulDB
CVSS 3.1
8.4
EPSS
1.2%
CVE-2025-41444 HIGH PATCH This Week

Zohocorp ManageEngine ADAudit Plus versions 8510 and prior contain an authenticated SQL injection vulnerability in the alerts module (CWE-89) that allows authenticated users to execute arbitrary SQL commands. An attacker with valid credentials can exploit this network-accessible vulnerability to read sensitive data, modify database contents, or degrade system availability. The CVSS 8.3 score reflects high confidentiality and integrity impact, though authentication is required; real-world exploitation probability and active weaponization status cannot be confirmed without KEV/EPSS data access.

SQLi Zoho Authentication Bypass Manageengine Adaudit Plus
NVD
CVSS 3.1
8.3
EPSS
0.7%
CVE-2025-3835 CRITICAL PATCH Act Now

Critical remote code execution vulnerability in Zohocorp ManageEngine Exchange Reporter Plus versions 5721 and prior, exploitable through the Content Search module without authentication. An attacker can achieve arbitrary code execution with high confidentiality, integrity, and availability impact across the system boundary (CVSS 9.6). This vulnerability requires user interaction (UI=R) and involves improper file upload handling (CWE-434); active exploitation status and POC availability require verification through CISA KEV and public disclosures.

Zoho Exchange RCE Manageengine Exchange Reporter Plus
NVD
CVSS 3.1
9.6
EPSS
1.3%
CVE-2025-36528 HIGH PATCH This Week

CVE-2025-36528 is an authenticated SQL injection vulnerability in Zohocorp ManageEngine ADAudit Plus versions 8510 and earlier, affecting the Service Account Auditing reports functionality. An authenticated attacker with low privileges can exploit this vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized data disclosure, data modification, or partial denial of service. With a CVSS score of 8.3 and network-accessible attack vector, this represents a significant risk to organizations using affected versions, particularly in environments where administrative audit logs contain sensitive credentials and access patterns.

SQLi Zoho Information Disclosure Manageengine Adaudit Plus
NVD
CVSS 3.1
8.3
EPSS
0.7%
CVE-2025-27709 HIGH PATCH This Week

A SQL injection vulnerability (CVSS 8.3). High severity vulnerability requiring prompt remediation.

SQLi Zoho Information Disclosure Manageengine Adaudit Plus
NVD
CVSS 3.1
8.3
EPSS
0.7%
CVE-2024-52323 HIGH This Week

Zohocorp ManageEngine Analytics Plus versions below 6100 are vulnerable to authenticated sensitive data exposure which allows the users to retrieve sensitive tokens associated to the org-admin. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Zoho Manageengine Analytics Plus
NVD
CVSS 3.1
8.1
EPSS
1.1%
CVE-2024-49574 HIGH This Week

Zohocorp ManageEngine ADAudit Plus versions below 8123 are vulnerable to SQL Injection in the reports module. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Zoho Manageengine Adaudit Plus
NVD
CVSS 3.1
8.8
EPSS
1.7%
CVE-2024-10839 HIGH This Week

Zohocorp ManageEngine SharePoint Manager Plus versions 4503 and prior are vulnerable to authenticated XML External Entity (XXE) in the Management option. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Zoho XXE Microsoft Manageengine Sharepoint Manager Plus
NVD
CVSS 3.1
8.1
EPSS
1.5%
CVE-2024-24409 HIGH POC This Week

Zohocorp ManageEngine ADManager Plus versions 7203 and prior are vulnerable to Privilege Escalation in the Modify Computers option. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Zoho Manageengine Admanager Plus
NVD Exploit-DB
CVSS 3.1
8.8
EPSS
3.9%
CVE-2024-10203 HIGH This Week

Zohocorp ManageEngine EndPoint Central versions 11.3.2416.21 and below, 11.3.2428.9 and below are vulnerable to Arbitrary File Deletion in the agent installed machines. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Zoho Manageengine Endpoint Central
NVD
CVSS 3.1
7.8
EPSS
0.3%
CVE-2024-9459 HIGH This Week

Zohocorp ManageEngine Exchange Reporter Plus versions 5718 and prior are vulnerable to authenticated SQL Injection in reports module. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Zoho Microsoft Manageengine Exchange Reporter Plus
NVD
CVSS 3.1
8.8
EPSS
2.1%
CVE-2024-36485 HIGH This Week

Zohocorp ManageEngine ADAudit Plus versions below 8121 are vulnerable to SQL Injection in Technician reports option. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Zoho Manageengine Adaudit Plus
NVD
CVSS 3.1
8.8
EPSS
1.5%
CVE-2024-48878 HIGH This Week

Zohocorp ManageEngine ADManager Plus versions 7241 and prior are vulnerable to SQL Injection in Archived Audit Report. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Zoho Manageengine Admanager Plus
NVD
CVSS 3.1
8.8
EPSS
1.5%
CVE-2024-5608 HIGH This Week

Zohocorp ManageEngine ADAudit Plus versions below 8121 are vulnerable to SQL Injection in the technician reports feature. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Zoho Manageengine Adaudit Plus
NVD
CVSS 3.1
8.1
EPSS
1.3%
CVE-2024-9100 MEDIUM This Month

Zohocorp ManageEngine Analytics Plus versions before 5410 and Zoho Analytics On-Premise versions before 5410 are vulnerable to Path traversal. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Zoho
NVD
CVSS 3.1
6.5
EPSS
0.5%
CVE-2024-38868 HIGH This Week

Zohocorp ManageEngine Endpoint Central affected by Incorrect authorization vulnerability while isolating the devices.3.2406.08 and before 11.3.2400.15. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Zoho Manageengine Endpoint Central
NVD
CVSS 3.1
8.3
EPSS
0.8%
CVE-2024-6204 HIGH This Week

Zohocorp ManageEngine Exchange Reporter Plus versions before 5715 are vulnerable to SQL Injection in the reports module. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Zoho Microsoft Manageengine Exchange Reporter Plus
NVD
CVSS 3.1
8.1
EPSS
2.0%
CVE-2024-5546 HIGH This Week

Zohocorp ManageEngine Password Manager Pro versions before 12431 and ManageEngine PAM360 versions before 7001 are affected by authenticated SQL Injection vulnerability via a global search option. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Zoho Manageengine Pam360 Manageengine Password Manager Pro
NVD
CVSS 3.1
8.8
EPSS
3.0%
CVE-2024-41150 MEDIUM This Month

An Stored Cross-site Scripting vulnerability in request module affects Zohocorp ManageEngine ServiceDesk Plus, ServiceDesk Plus MSP and SupportCenter Plus. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Zoho Manageengine Servicedesk Plus Manageengine Servicedesk Plus Msp Manageengine Supportcenter Plus
NVD
CVSS 3.1
6.1
EPSS
1.2%
CVE-2024-38869 MEDIUM This Month

Zohocorp ManageEngine Endpoint Central affected by Incorrect authorization vulnerability in remote office deploy configurations.3.2416.04 and before 11.3.2400.25. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Zoho Microsoft Manageengine Servicedesk Plus Manageengine Servicedesk Plus Msp +1
NVD
CVSS 3.1
5.4
EPSS
1.0%
CVE-2024-5586 HIGH This Week

Zohocorp ManageEngine ADAudit Plus versions below 8121 are vulnerable to the authenticated SQL injection in extranet lockouts report option. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Zoho Manageengine Adaudit Plus
NVD
CVSS 3.1
8.8
EPSS
5.2%
CVE-2024-5556 HIGH This Week

Zohocorp ManageEngine ADAudit Plus versions below 8000 are vulnerable to the authenticated SQL injection in reports module. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Zoho Manageengine Adaudit Plus
NVD
CVSS 3.1
8.8
EPSS
4.5%
CVE-2024-5490 HIGH This Week

Zohocorp ManageEngine ADAudit Plus versions below 8000 are vulnerable to the authenticated SQL injection in aggregate reports option. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Zoho Manageengine Adaudit Plus
NVD
CVSS 3.1
8.8
EPSS
4.0%
CVE-2024-5467 HIGH This Week

Zohocorp ManageEngine ADAudit Plus versions below 8121 are vulnerable to the authenticated SQL injection in account lockout report. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Zoho Manageengine Adaudit Plus
NVD
CVSS 3.1
8.8
EPSS
4.5%
CVE-2024-5466 HIGH This Week

Zohocorp ManageEngine OpManager and Remote Monitoring and Management versions 128329 and below are vulnerable to the authenticated remote code execution in the deploy agent option. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection RCE Zoho Manageengine Opmanager Manageengine Opmanager Msp +2
NVD
CVSS 3.1
8.8
EPSS
7.0%
CVE-2024-36517 HIGH This Week

Zohocorp ManageEngine ADAudit Plus versions below 8000 are vulnerable to the authenticated SQL injection in alerts module. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Zoho Manageengine Adaudit Plus
NVD
CVSS 3.1
8.8
EPSS
5.3%
CVE-2024-36516 HIGH This Week

Zohocorp ManageEngine ADAudit Plus versions below 8000 are vulnerable to the authenticated SQL injection in dashboard. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Zoho Manageengine Adaudit Plus
NVD
CVSS 3.1
8.8
EPSS
4.4%
CVE-2024-36515 HIGH This Week

Zohocorp ManageEngine ADAudit Plus versions below 8000 are vulnerable to the authenticated SQL injection in dashboard. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Zoho Manageengine Adaudit Plus
NVD
CVSS 3.1
8.8
EPSS
4.5%
CVE-2024-36514 HIGH This Week

Zohocorp ManageEngine ADAudit Plus versions below 8000 are vulnerable to the authenticated SQL injection in file summary option. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Zoho Manageengine Adaudit Plus
NVD
CVSS 3.1
8.8
EPSS
4.0%
CVE-2024-38752 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Zoho Campaigns allows Cross-Site Scripting (XSS).0.8. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Zoho
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2024-5527 HIGH This Week

Zohocorp ManageEngine ADAudit Plus versions below 8110 are vulnerable to authenticated SQL Injection in file auditing configuration. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Zoho Manageengine Adaudit Plus
NVD
CVSS 3.1
8.8
EPSS
4.7%
CVE-2024-5487 HIGH This Week

Zohocorp ManageEngine ADAudit Plus versions below 8110 are vulnerable to authenticated SQL Injection in attack surface analyzer's export option. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Zoho Manageengine Adaudit Plus
NVD
CVSS 3.1
8.8
EPSS
4.7%
CVE-2024-36518 MEDIUM This Month

Zohocorp ManageEngine ADAudit Plus versions below 8110 are vulnerable to authenticated SQL Injection in attack surface analyzer's dashboard. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Zoho Manageengine Adaudit Plus
NVD
CVSS 3.1
5.4
EPSS
3.1%
CVE-2024-36035 HIGH This Week

Zohocorp ManageEngine ADAudit Plus versions below 8003 are vulnerable to authenticated SQL Injection in user session recording. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Zoho Manageengine Adaudit Plus
NVD
CVSS 3.1
8.8
EPSS
7.4%
CVE-2024-36034 HIGH This Week

Zohocorp ManageEngine ADAudit Plus versions below 8003 are vulnerable to authenticated SQL Injection in aggregate reports' search option. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Zoho Manageengine Adaudit Plus
NVD
CVSS 3.1
8.8
EPSS
7.4%
CVE-2024-5678 MEDIUM This Month

Zohocorp ManageEngine Applications Manager versions 170900 and below are vulnerable to the authenticated admin-only SQL Injection in the Create Monitor feature. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Zoho Manageengine Applications Manager
NVD
CVSS 3.1
4.7
EPSS
2.5%
CVE-2024-6748 HIGH This Week

Zohocorp ManageEngine OpManager, OpManager Plus, OpManager MSP and RMM versions 128317 and below are vulnerable to authenticated SQL injection in the URL monitoring. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Zoho
NVD
CVSS 3.1
8.3
EPSS
23.8%
CVE-2024-38872 HIGH This Week

Zohocorp ManageEngine Exchange Reporter Plus versions 5717 and below are vulnerable to the authenticated SQL injection in the monitoring module. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Zoho Microsoft Manageengine Exchange Reporter Plus
NVD
CVSS 3.1
8.8
EPSS
3.1%
CVE-2024-38871 HIGH This Week

Zohocorp ManageEngine Exchange Reporter Plus versions 5717 and below are vulnerable to the authenticated SQL injection in the reports module. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Zoho Microsoft Manageengine Exchange Reporter Plus
NVD
CVSS 3.1
8.8
EPSS
3.1%
CVE-2024-38696 HIGH This Week

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Zoho CRM Zoho CRM Lead Magnet allows Reflected XSS.7.8.8. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Zoho
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2024-38870 LOW Monitor

Zohocorp ManageEngine OpManager, OpManager Plus, OpManager MSP and OpManager Enterprise Edition versions before 128104, from 128151 before 128238, from 128247 before 128250 are vulnerable to Stored. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Zoho
NVD
CVSS 3.1
3.5
EPSS
0.3%
CVE-2024-5471 CRITICAL Act Now

Zohocorp ManageEngine DDI Central versions 4001 and prior were vulnerable to agent takeover vulnerability due to the hard-coded sensitive keys. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Zoho Manageengine Ddi Central
NVD
CVSS 3.1
9.8
EPSS
2.5%
CVE-2024-27311 HIGH This Week

Zohocorp ManageEngine DDI Central versions 4001 and prior were vulnerable to directory traversal vulnerability which allows the user to upload new files to the server folder. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Zoho File Upload Manageengine Ddi Central
NVD
CVSS 3.1
8.8
EPSS
1.5%
CVE-2024-37225 HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Zoho Marketing Automation.2.7. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Zoho Marketing Automation
NVD
CVSS 3.1
8.8
EPSS
0.5%
CVE-2024-36038 MEDIUM This Month

Zoho ManageEngine ITOM products versions from 128234 to 128248 are affected by the stored cross-site scripting vulnerability in the proxy server option. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Zoho
NVD
CVSS 3.1
6.3
EPSS
1.4%
CVE-2024-27313 MEDIUM This Month

Zoho ManageEngine PAM360 is vulnerable to Stored XSS vulnerability. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Zoho Manageengine Pam360
NVD
CVSS 3.1
4.6
EPSS
1.3%
CVE-2024-36037 MEDIUM This Month

Zoho ManageEngine ADAudit Plus versions 7260 and below allows unauthorized local agent machine users to view the session recordings. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Authentication Bypass Zoho Manageengine Adaudit Plus
NVD
CVSS 3.1
5.5
EPSS
0.5%
CVE-2024-36036 MEDIUM This Month

Zoho ManageEngine ADAudit Plus versions 7260 and below allows unauthorized local agent machine users to access sensitive information and modifying the agent configuration. Rated medium severity (CVSS 4.2). No vendor patch available.

Authentication Bypass Zoho Manageengine Adaudit Plus
NVD
CVSS 3.1
4.2
EPSS
0.4%
CVE-2024-27310 MEDIUM This Month

Zoho ManageEngine ADSelfService Plus versions below 6401 are vulnerable to the DOS attack due to the malicious LDAP input. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection LDAP Information Disclosure Zoho Manageengine Adselfservice Plus
NVD
CVSS 3.1
6.5
EPSS
2.3%
CVE-2024-27314 LOW Monitor

Zoho ManageEngine ServiceDesk Plus versions below 14730, ServiceDesk Plus MSP below 14720 and SupportCenter Plus below 14720 are vulnerable to stored XSS in the Custom Actions menu on the request. Rated low severity (CVSS 2.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Zoho Manageengine Servicedesk Plus Manageengine Servicedesk Plus Msp Manageengine Supportcenter Plus
NVD
CVSS 3.1
2.4
EPSS
1.9%
CVE-2024-21791 HIGH This Week

Zoho ManageEngine ADAudit Plus versions below 7271 allows SQL Injection in lockout history option. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Zoho Manageengine Adaudit Plus
NVD
CVSS 3.1
7.2
EPSS
2.2%
CVE-2024-27312 HIGH This Week

Zohocorp ManageEngine PAM360 version 6601 is vulnerable to authorization vulnerability which allows a low-privileged user to perform admin actions. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Zoho Manageengine Pam360
NVD
CVSS 3.1
8.1
EPSS
0.9%
CVE-2024-21775 HIGH This Week

Zoho ManageEngine Exchange Reporter Plus versions 5714 and below are vulnerable to the Authenticated SQL injection in report exporting feature. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Zoho Microsoft Manageengine Exchange Reporter Plus
NVD
CVSS 3.1
8.8
EPSS
5.0%
CVE-2024-0269 HIGH This Week

ManageEngine ADAudit Plus versions 7270 and below are vulnerable to the Authenticated SQL injection in File-Summary DrillDown. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Zoho Manageengine Adaudit Plus
NVD
CVSS 3.1
8.8
EPSS
5.4%
CVE-2024-0253 HIGH This Week

ManageEngine ADAudit Plus versions 7270 and below are vulnerable to the Authenticated SQL injection in home Graph-Data. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Zoho Manageengine Adaudit Plus
NVD
CVSS 3.1
8.8
EPSS
5.0%
CVE-2023-48646 HIGH This Week

Zoho ManageEngine RecoveryManager Plus before 6070 allows admin users to execute arbitrary commands via proxy settings. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Zoho Manageengine Recoverymanager Plus
NVD
CVSS 3.1
7.2
EPSS
82.2%
CVE-2023-6105 MEDIUM POC This Month

An information disclosure vulnerability exists in multiple ManageEngine products that can result in encryption keys being exposed. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Zoho Manageengine Analytics Plus Manageengine Appcreator Manageengine Application Control Plus +36
NVD
CVSS 3.1
5.5
EPSS
0.7%
CVE-2023-4769 HIGH This Week

A SSRF vulnerability has been found in ManageEngine Desktop Central affecting version 9.1.0, specifically the /smtpConfig.do component. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF Zoho Manageengine Desktop Central
NVD
CVSS 3.1
8.8
EPSS
3.3%
CVE-2023-4768 MEDIUM This Month

A CRLF injection vulnerability has been found in ManageEngine Desktop Central affecting version 9.1.0. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Zoho Manageengine Desktop Central
NVD
CVSS 3.1
6.1
EPSS
2.9%
CVE-2023-4767 MEDIUM This Month

A CRLF injection vulnerability has been found in ManageEngine Desktop Central affecting version 9.1.0. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Zoho Manageengine Desktop Central
NVD
CVSS 3.1
6.1
EPSS
2.9%
CVE-2023-41356 MEDIUM This Month

NCSIST ManageEngine Mobile Device Manager(MDM) APP's special function has a path traversal vulnerability. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Zoho Tronclass Ilearn
NVD
CVSS 3.1
6.5
EPSS
0.9%
CVE-2023-41344 HIGH This Week

NCSIST ManageEngine Mobile Device Manager(MDM) APP's special function has a path traversal vulnerability. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Zoho Mobile Device Manager
NVD
CVSS 3.1
7.5
EPSS
1.0%
CVE-2023-41904 MEDIUM This Month

Zoho ManageEngine ADManager Plus before 7203 allows 2FA bypass (for AuthToken generation) in REST APIs. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Zoho Authentication Bypass Manageengine Admanager Plus
NVD
CVSS 3.1
5.4
EPSS
2.0%
CVE-2023-38743 HIGH This Week

Zoho ManageEngine ADManager Plus before Build 7200 allows admin users to execute commands on the host machine. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Zoho Manageengine Admanager Plus
NVD
CVSS 3.1
7.2
EPSS
11.6%
CVE-2023-35719 MEDIUM This Month

ManageEngine ADSelfService Plus GINA Client Insufficient Verification of Data Authenticity Authentication Bypass Vulnerability. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass RCE Zoho Manageengine Adselfservice Plus
NVD
CVSS 3.1
6.8
EPSS
26.4%
CVE-2023-39912 MEDIUM This Month

Zoho ManageEngine ADManager Plus before 7203 allows Help Desk Technician users to read arbitrary files on the machine where this product is installed. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Zoho Manageengine Admanager Plus
NVD
CVSS 3.1
4.9
EPSS
4.0%
CVE-2023-35785 HIGH PATCH This Week

Zoho ManageEngine Active Directory 360 versions 4315 and below, ADAudit Plus 7202 and below, ADManager Plus 7200 and below, Asset Explorer 6993 and below and 7xxx 7002 and below, Cloud Security Plus. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

Microsoft Zoho Authentication Bypass Manageengine Ad360 Manageengine Adaudit Plus +15
NVD
CVSS 3.1
8.1
EPSS
2.4%
CVE-2023-31492 MEDIUM POC This Month

Zoho ManageEngine ADManager Plus version 7182 and prior disclosed the default passwords for the account restoration of unauthorized domains to the authenticated users. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Zoho Manageengine Admanager Plus
NVD GitHub
CVSS 3.1
6.5
EPSS
5.3%
CVE-2023-38333 MEDIUM This Month

Zoho ManageEngine Applications Manager through 16530 allows reflected XSS while logged in. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Zoho Manageengine Applications Manager
NVD
CVSS 3.1
6.1
EPSS
2.0%
CVE-2023-32783 HIGH POC This Week

The event analysis component in Zoho ManageEngine ADAudit Plus 7.1.1 allows an attacker to bypass audit detection by creating or renaming user accounts with a "$" symbol suffix. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Zoho Authentication Bypass Manageengine Adaudit Plus
NVD
CVSS 3.1
7.5
EPSS
3.2%
CVE-2023-38332 MEDIUM This Month

Zoho ManageEngine ADManager Plus through 7201 allow authenticated users to take over another user's account via sensitive information disclosure. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Zoho Manageengine Admanager Plus
NVD
CVSS 3.1
6.5
EPSS
3.0%
CVE-2023-29505 HIGH This Week

An issue was discovered in Zoho ManageEngine Network Configuration Manager 12.6.165. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Zoho Manageengine Network Configuration Manager
NVD
CVSS 3.1
8.8
EPSS
0.9%
CVE-2023-38331 MEDIUM This Month

Zoho ManageEngine Support Center Plus 14001 and below is vulnerable to stored XSS in the products module. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Zoho Manageengine Supportcenter Plus
NVD
CVSS 3.1
5.4
EPSS
1.9%
CVE-2023-37308 MEDIUM This Month

Zoho ManageEngine ADAudit Plus before 7100 allows XSS via the username field. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Zoho Manageengine Adaudit Plus
NVD
CVSS 3.1
5.4
EPSS
1.9%
CVE-2023-34197 MEDIUM This Month

Zoho ManageEngine ServiceDesk Plus before 14202, ServiceDesk Plus MSP before 14300, and SupportCenter Plus before 14300 have a privilege escalation vulnerability in the Release module that allows. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Zoho Authentication Bypass Manageengine Servicedesk Plus Manageengine Servicedesk Plus Msp +1
NVD
CVSS 3.1
5.4
EPSS
3.5%
CVE-2023-35786 MEDIUM This Month

Zoho ManageEngine ADManager Plus before 7183 allows admin users to exploit an XXE issue to view files. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Zoho Manageengine Admanager Plus
NVD
CVSS 3.1
4.9
EPSS
3.0%
CVE-2023-0588 MEDIUM POC This Month

The Catalyst Connect Zoho CRM Client Portal WordPress plugin before 2.1.0 does not sanitize and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Zoho Zoho Crm Client Portal
NVD WPScan
CVSS 3.1
6.1
EPSS
0.5%
CVE-2023-35854 CRITICAL Act Now

Zoho ManageEngine ADSelfService Plus through 6113 has an authentication bypass that can be exploited to steal the domain controller session token for identity spoofing, thereby achieving the. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Zoho Authentication Bypass Manageengine Adselfservice Plus
NVD GitHub
CVSS 3.1
9.8
EPSS
6.0%
CVE-2023-2527 MEDIUM POC This Month

The Integration for Contact Form 7 and Zoho CRM, Bigin WordPress plugin before 1.2.4 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi WordPress XSS Zoho Integration For Contact Form 7 And Zoho Crm Bigin
NVD WPScan
CVSS 3.1
4.8
EPSS
0.4%
CVE-2023-25976 HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in CRM Perks Integration for Contact Form 7 and Zoho CRM, Bigin plugin <= 1.2.2 versions. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Zoho CSRF Integration For Contact Form 7 And Zoho Crm Bigin
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2023-31099 HIGH This Week

Zoho ManageEngine OPManager through 126323 allows an authenticated user to achieve remote code execution via probe servers. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Zoho Manageengine Opmanager
NVD
CVSS 3.1
8.8
EPSS
81.6%
CVE-2023-2291 HIGH POC This Week

Static credentials exist in the PostgreSQL data used in ManageEngine Access Manager Plus (AMP) build 4309, ManageEngine Password Manager Pro, and ManageEngine PAM360. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Zoho PostgreSQL Authentication Bypass Manageengine Access Manager Plus Manageengine Pam360 +1
NVD
CVSS 3.1
7.8
EPSS
0.8%
CVE-2023-29443 MEDIUM This Month

Zoho ManageEngine ServiceDesk Plus before 14105, ServiceDesk Plus MSP before 14200, SupportCenter Plus before 14200, and AssetExplorer before 6989 allow SDAdmin attackers to conduct XXE attacks via a. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Zoho Manageengine Assetexplorer Manageengine Servicedesk Plus Manageengine Servicedesk Plus Msp +1
NVD
CVSS 3.1
4.9
EPSS
3.0%
CVE-2023-29442 MEDIUM This Month

Zoho ManageEngine Applications Manager before 16400 allows proxy.html DOM XSS. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Zoho Manageengine Applications Manager
NVD
CVSS 3.1
6.1
EPSS
9.4%
CVE-2023-29084 HIGH POC THREAT Act Now

Zoho ManageEngine ADManager Plus before 7181 allows for authenticated users to exploit command injection via Proxy settings. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Zoho Manageengine Admanager Plus
NVD GitHub
CVSS 3.1
7.2
EPSS
98.4%
CVE-2023-28341 MEDIUM PATCH This Month

Stored Cross site scripting (XSS) vulnerability in Zoho ManageEngine Applications Manager through 16340 allows an unauthenticated user to inject malicious javascript on the incorrect login details. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Zoho Manageengine Applications Manager
NVD
CVSS 3.1
6.1
EPSS
98.8%
CVE-2023-28340 MEDIUM PATCH This Month

Zoho ManageEngine Applications Manager through 16320 allows the admin user to conduct an XXE attack. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Zoho Manageengine Applications Manager
NVD
CVSS 3.1
6.5
EPSS
3.2%
EPSS 0% CVSS 4.9
MEDIUM This Month

Time-based blind SQL injection in the Catalyst Connect Zoho CRM Client Portal WordPress plugin (all versions ≤ 2.2.0) enables authenticated administrators to exfiltrate arbitrary data from the underlying WordPress database via the unsanitized 'uid' parameter. The CVSS vector (PR:H) confirms exploitation requires administrator-level credentials, meaningfully constraining the attack surface. A public proof-of-concept is available on GitHub (BFS-Lab/BFSDV), and no confirmed patch version has been identified in available intelligence at time of analysis.

WordPress SQLi Zoho +1
NVD GitHub VulDB
EPSS 1% CVSS 9.0
CRITICAL PATCH Act Now

Account takeover in ManageEngine ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus is possible because SSO session-authentication tickets are generated with insufficient randomness and can be predicted by an unauthenticated remote attacker. Successful prediction lets the attacker impersonate arbitrary users and gain full session-level confidentiality, integrity, and availability impact (CVSS 9.0). No public exploit identified at time of analysis, but the issue is acknowledged in the vendor advisory.

Zoho Information Disclosure Manageengine Adselfservice Plus +3
NVD VulDB
EPSS 0% CVSS 5.7
MEDIUM PATCH This Month

Cross-site request forgery in the Zoho Mail WordPress plugin (all versions before 1.6.2) enables a remote attacker to perform unauthorized, integrity-impacting actions on behalf of an authenticated WordPress user without their knowledge. The CVSS 5.7 medium score reflects high integrity impact with no confidentiality or availability exposure, requiring low-privilege victim authentication and user interaction. No public exploit code exists and no active exploitation has been identified; EPSS sits at the 1st percentile and SSVC classifies exploitation status as none.

CSRF Zoho WordPress +1
NVD
EPSS 1% CVSS 8.4
HIGH PATCH This Week

Authenticated remote code execution affects Zoho ManageEngine ADSelfService Plus (before build 6525), DataSecurity Plus (before 6264), and RecoveryManager Plus (before 6313) on agent machines, stemming from a flaw in a bundled third-party dependency. An authenticated attacker with low privileges can inject commands (CWE-77) to execute arbitrary code on managed agent endpoints, with no public exploit identified at time of analysis.

RCE Zoho Command Injection
NVD VulDB
EPSS 1% CVSS 8.3
HIGH PATCH This Week

Zohocorp ManageEngine ADAudit Plus versions 8510 and prior contain an authenticated SQL injection vulnerability in the alerts module (CWE-89) that allows authenticated users to execute arbitrary SQL commands. An attacker with valid credentials can exploit this network-accessible vulnerability to read sensitive data, modify database contents, or degrade system availability. The CVSS 8.3 score reflects high confidentiality and integrity impact, though authentication is required; real-world exploitation probability and active weaponization status cannot be confirmed without KEV/EPSS data access.

SQLi Zoho Authentication Bypass +1
NVD
EPSS 1% CVSS 9.6
CRITICAL PATCH Act Now

Critical remote code execution vulnerability in Zohocorp ManageEngine Exchange Reporter Plus versions 5721 and prior, exploitable through the Content Search module without authentication. An attacker can achieve arbitrary code execution with high confidentiality, integrity, and availability impact across the system boundary (CVSS 9.6). This vulnerability requires user interaction (UI=R) and involves improper file upload handling (CWE-434); active exploitation status and POC availability require verification through CISA KEV and public disclosures.

Zoho Exchange RCE +1
NVD
EPSS 1% CVSS 8.3
HIGH PATCH This Week

CVE-2025-36528 is an authenticated SQL injection vulnerability in Zohocorp ManageEngine ADAudit Plus versions 8510 and earlier, affecting the Service Account Auditing reports functionality. An authenticated attacker with low privileges can exploit this vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized data disclosure, data modification, or partial denial of service. With a CVSS score of 8.3 and network-accessible attack vector, this represents a significant risk to organizations using affected versions, particularly in environments where administrative audit logs contain sensitive credentials and access patterns.

SQLi Zoho Information Disclosure +1
NVD
EPSS 1% CVSS 8.3
HIGH PATCH This Week

A SQL injection vulnerability (CVSS 8.3). High severity vulnerability requiring prompt remediation.

SQLi Zoho Information Disclosure +1
NVD
EPSS 1% CVSS 8.1
HIGH This Week

Zohocorp ManageEngine Analytics Plus versions below 6100 are vulnerable to authenticated sensitive data exposure which allows the users to retrieve sensitive tokens associated to the org-admin. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Zoho Manageengine Analytics Plus
NVD
EPSS 2% CVSS 8.8
HIGH This Week

Zohocorp ManageEngine ADAudit Plus versions below 8123 are vulnerable to SQL Injection in the reports module. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Zoho Manageengine Adaudit Plus
NVD
EPSS 1% CVSS 8.1
HIGH This Week

Zohocorp ManageEngine SharePoint Manager Plus versions 4503 and prior are vulnerable to authenticated XML External Entity (XXE) in the Management option. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Zoho XXE Microsoft +1
NVD
EPSS 4% CVSS 8.8
HIGH POC This Week

Zohocorp ManageEngine ADManager Plus versions 7203 and prior are vulnerable to Privilege Escalation in the Modify Computers option. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Zoho Manageengine Admanager Plus
NVD Exploit-DB
EPSS 0% CVSS 7.8
HIGH This Week

Zohocorp ManageEngine EndPoint Central versions 11.3.2416.21 and below, 11.3.2428.9 and below are vulnerable to Arbitrary File Deletion in the agent installed machines. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Zoho Manageengine Endpoint Central
NVD
EPSS 2% CVSS 8.8
HIGH This Week

Zohocorp ManageEngine Exchange Reporter Plus versions 5718 and prior are vulnerable to authenticated SQL Injection in reports module. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Zoho Microsoft +1
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Zohocorp ManageEngine ADAudit Plus versions below 8121 are vulnerable to SQL Injection in Technician reports option. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Zoho Manageengine Adaudit Plus
NVD
EPSS 2% CVSS 8.8
HIGH This Week

Zohocorp ManageEngine ADManager Plus versions 7241 and prior are vulnerable to SQL Injection in Archived Audit Report. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Zoho Manageengine Admanager Plus
NVD
EPSS 1% CVSS 8.1
HIGH This Week

Zohocorp ManageEngine ADAudit Plus versions below 8121 are vulnerable to SQL Injection in the technician reports feature. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Zoho Manageengine Adaudit Plus
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Zohocorp ManageEngine Analytics Plus versions before 5410 and Zoho Analytics On-Premise versions before 5410 are vulnerable to Path traversal. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Zoho
NVD
EPSS 1% CVSS 8.3
HIGH This Week

Zohocorp ManageEngine Endpoint Central affected by Incorrect authorization vulnerability while isolating the devices.3.2406.08 and before 11.3.2400.15. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Zoho Manageengine Endpoint Central
NVD
EPSS 2% CVSS 8.1
HIGH This Week

Zohocorp ManageEngine Exchange Reporter Plus versions before 5715 are vulnerable to SQL Injection in the reports module. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Zoho Microsoft +1
NVD
EPSS 3% CVSS 8.8
HIGH This Week

Zohocorp ManageEngine Password Manager Pro versions before 12431 and ManageEngine PAM360 versions before 7001 are affected by authenticated SQL Injection vulnerability via a global search option. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Zoho Manageengine Pam360 +1
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

An Stored Cross-site Scripting vulnerability in request module affects Zohocorp ManageEngine ServiceDesk Plus, ServiceDesk Plus MSP and SupportCenter Plus. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Zoho Manageengine Servicedesk Plus +2
NVD
EPSS 1% CVSS 5.4
MEDIUM This Month

Zohocorp ManageEngine Endpoint Central affected by Incorrect authorization vulnerability in remote office deploy configurations.3.2416.04 and before 11.3.2400.25. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Zoho Microsoft +3
NVD
EPSS 5% CVSS 8.8
HIGH This Week

Zohocorp ManageEngine ADAudit Plus versions below 8121 are vulnerable to the authenticated SQL injection in extranet lockouts report option. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Zoho Manageengine Adaudit Plus
NVD
EPSS 5% CVSS 8.8
HIGH This Week

Zohocorp ManageEngine ADAudit Plus versions below 8000 are vulnerable to the authenticated SQL injection in reports module. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Zoho Manageengine Adaudit Plus
NVD
EPSS 4% CVSS 8.8
HIGH This Week

Zohocorp ManageEngine ADAudit Plus versions below 8000 are vulnerable to the authenticated SQL injection in aggregate reports option. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Zoho Manageengine Adaudit Plus
NVD
EPSS 5% CVSS 8.8
HIGH This Week

Zohocorp ManageEngine ADAudit Plus versions below 8121 are vulnerable to the authenticated SQL injection in account lockout report. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Zoho Manageengine Adaudit Plus
NVD
EPSS 7% CVSS 8.8
HIGH This Week

Zohocorp ManageEngine OpManager and Remote Monitoring and Management versions 128329 and below are vulnerable to the authenticated remote code execution in the deploy agent option. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection RCE Zoho +4
NVD
EPSS 5% CVSS 8.8
HIGH This Week

Zohocorp ManageEngine ADAudit Plus versions below 8000 are vulnerable to the authenticated SQL injection in alerts module. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Zoho Manageengine Adaudit Plus
NVD
EPSS 4% CVSS 8.8
HIGH This Week

Zohocorp ManageEngine ADAudit Plus versions below 8000 are vulnerable to the authenticated SQL injection in dashboard. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Zoho Manageengine Adaudit Plus
NVD
EPSS 5% CVSS 8.8
HIGH This Week

Zohocorp ManageEngine ADAudit Plus versions below 8000 are vulnerable to the authenticated SQL injection in dashboard. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Zoho Manageengine Adaudit Plus
NVD
EPSS 4% CVSS 8.8
HIGH This Week

Zohocorp ManageEngine ADAudit Plus versions below 8000 are vulnerable to the authenticated SQL injection in file summary option. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Zoho Manageengine Adaudit Plus
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Zoho Campaigns allows Cross-Site Scripting (XSS).0.8. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Zoho
NVD
EPSS 5% CVSS 8.8
HIGH This Week

Zohocorp ManageEngine ADAudit Plus versions below 8110 are vulnerable to authenticated SQL Injection in file auditing configuration. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Zoho Manageengine Adaudit Plus
NVD
EPSS 5% CVSS 8.8
HIGH This Week

Zohocorp ManageEngine ADAudit Plus versions below 8110 are vulnerable to authenticated SQL Injection in attack surface analyzer's export option. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Zoho Manageengine Adaudit Plus
NVD
EPSS 3% CVSS 5.4
MEDIUM This Month

Zohocorp ManageEngine ADAudit Plus versions below 8110 are vulnerable to authenticated SQL Injection in attack surface analyzer's dashboard. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Zoho Manageengine Adaudit Plus
NVD
EPSS 7% CVSS 8.8
HIGH This Week

Zohocorp ManageEngine ADAudit Plus versions below 8003 are vulnerable to authenticated SQL Injection in user session recording. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Zoho Manageengine Adaudit Plus
NVD
EPSS 7% CVSS 8.8
HIGH This Week

Zohocorp ManageEngine ADAudit Plus versions below 8003 are vulnerable to authenticated SQL Injection in aggregate reports' search option. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Zoho Manageengine Adaudit Plus
NVD
EPSS 3% CVSS 4.7
MEDIUM This Month

Zohocorp ManageEngine Applications Manager versions 170900 and below are vulnerable to the authenticated admin-only SQL Injection in the Create Monitor feature. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Zoho Manageengine Applications Manager
NVD
EPSS 24% CVSS 8.3
HIGH This Week

Zohocorp ManageEngine OpManager, OpManager Plus, OpManager MSP and RMM versions 128317 and below are vulnerable to authenticated SQL injection in the URL monitoring. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Zoho
NVD
EPSS 3% CVSS 8.8
HIGH This Week

Zohocorp ManageEngine Exchange Reporter Plus versions 5717 and below are vulnerable to the authenticated SQL injection in the monitoring module. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Zoho Microsoft +1
NVD
EPSS 3% CVSS 8.8
HIGH This Week

Zohocorp ManageEngine Exchange Reporter Plus versions 5717 and below are vulnerable to the authenticated SQL injection in the reports module. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Zoho Microsoft +1
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Zoho CRM Zoho CRM Lead Magnet allows Reflected XSS.7.8.8. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Zoho
NVD
EPSS 0% CVSS 3.5
LOW Monitor

Zohocorp ManageEngine OpManager, OpManager Plus, OpManager MSP and OpManager Enterprise Edition versions before 128104, from 128151 before 128238, from 128247 before 128250 are vulnerable to Stored. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Zoho
NVD
EPSS 2% CVSS 9.8
CRITICAL Act Now

Zohocorp ManageEngine DDI Central versions 4001 and prior were vulnerable to agent takeover vulnerability due to the hard-coded sensitive keys. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Zoho Manageengine Ddi Central
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Zohocorp ManageEngine DDI Central versions 4001 and prior were vulnerable to directory traversal vulnerability which allows the user to upload new files to the server folder. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Zoho File Upload +1
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Zoho Marketing Automation.2.7. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Zoho Marketing Automation
NVD
EPSS 1% CVSS 6.3
MEDIUM This Month

Zoho ManageEngine ITOM products versions from 128234 to 128248 are affected by the stored cross-site scripting vulnerability in the proxy server option. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Zoho
NVD
EPSS 1% CVSS 4.6
MEDIUM This Month

Zoho ManageEngine PAM360 is vulnerable to Stored XSS vulnerability. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Zoho Manageengine Pam360
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

Zoho ManageEngine ADAudit Plus versions 7260 and below allows unauthorized local agent machine users to view the session recordings. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Authentication Bypass Zoho Manageengine Adaudit Plus
NVD
EPSS 0% CVSS 4.2
MEDIUM This Month

Zoho ManageEngine ADAudit Plus versions 7260 and below allows unauthorized local agent machine users to access sensitive information and modifying the agent configuration. Rated medium severity (CVSS 4.2). No vendor patch available.

Authentication Bypass Zoho Manageengine Adaudit Plus
NVD
EPSS 2% CVSS 6.5
MEDIUM This Month

Zoho ManageEngine ADSelfService Plus versions below 6401 are vulnerable to the DOS attack due to the malicious LDAP input. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection LDAP Information Disclosure +2
NVD
EPSS 2% CVSS 2.4
LOW Monitor

Zoho ManageEngine ServiceDesk Plus versions below 14730, ServiceDesk Plus MSP below 14720 and SupportCenter Plus below 14720 are vulnerable to stored XSS in the Custom Actions menu on the request. Rated low severity (CVSS 2.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Zoho Manageengine Servicedesk Plus +2
NVD
EPSS 2% CVSS 7.2
HIGH This Week

Zoho ManageEngine ADAudit Plus versions below 7271 allows SQL Injection in lockout history option. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Zoho Manageengine Adaudit Plus
NVD
EPSS 1% CVSS 8.1
HIGH This Week

Zohocorp ManageEngine PAM360 version 6601 is vulnerable to authorization vulnerability which allows a low-privileged user to perform admin actions. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Zoho Manageengine Pam360
NVD
EPSS 5% CVSS 8.8
HIGH This Week

Zoho ManageEngine Exchange Reporter Plus versions 5714 and below are vulnerable to the Authenticated SQL injection in report exporting feature. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Zoho Microsoft +1
NVD
EPSS 5% CVSS 8.8
HIGH This Week

ManageEngine ADAudit Plus versions 7270 and below are vulnerable to the Authenticated SQL injection in File-Summary DrillDown. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Zoho Manageengine Adaudit Plus
NVD
EPSS 5% CVSS 8.8
HIGH This Week

ManageEngine ADAudit Plus versions 7270 and below are vulnerable to the Authenticated SQL injection in home Graph-Data. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Zoho Manageengine Adaudit Plus
NVD
EPSS 82% CVSS 7.2
HIGH This Week

Zoho ManageEngine RecoveryManager Plus before 6070 allows admin users to execute arbitrary commands via proxy settings. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Zoho Manageengine Recoverymanager Plus
NVD
EPSS 1% CVSS 5.5
MEDIUM POC This Month

An information disclosure vulnerability exists in multiple ManageEngine products that can result in encryption keys being exposed. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Zoho Manageengine Analytics Plus +38
NVD
EPSS 3% CVSS 8.8
HIGH This Week

A SSRF vulnerability has been found in ManageEngine Desktop Central affecting version 9.1.0, specifically the /smtpConfig.do component. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF Zoho Manageengine Desktop Central
NVD
EPSS 3% CVSS 6.1
MEDIUM This Month

A CRLF injection vulnerability has been found in ManageEngine Desktop Central affecting version 9.1.0. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Zoho Manageengine Desktop Central
NVD
EPSS 3% CVSS 6.1
MEDIUM This Month

A CRLF injection vulnerability has been found in ManageEngine Desktop Central affecting version 9.1.0. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Zoho Manageengine Desktop Central
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

NCSIST ManageEngine Mobile Device Manager(MDM) APP's special function has a path traversal vulnerability. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Zoho Tronclass Ilearn
NVD
EPSS 1% CVSS 7.5
HIGH This Week

NCSIST ManageEngine Mobile Device Manager(MDM) APP's special function has a path traversal vulnerability. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Zoho Mobile Device Manager
NVD
EPSS 2% CVSS 5.4
MEDIUM This Month

Zoho ManageEngine ADManager Plus before 7203 allows 2FA bypass (for AuthToken generation) in REST APIs. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Zoho Authentication Bypass Manageengine Admanager Plus
NVD
EPSS 12% CVSS 7.2
HIGH This Week

Zoho ManageEngine ADManager Plus before Build 7200 allows admin users to execute commands on the host machine. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Zoho Manageengine Admanager Plus
NVD
EPSS 26% CVSS 6.8
MEDIUM This Month

ManageEngine ADSelfService Plus GINA Client Insufficient Verification of Data Authenticity Authentication Bypass Vulnerability. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass RCE Zoho +1
NVD
EPSS 4% CVSS 4.9
MEDIUM This Month

Zoho ManageEngine ADManager Plus before 7203 allows Help Desk Technician users to read arbitrary files on the machine where this product is installed. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Zoho Manageengine Admanager Plus
NVD
EPSS 2% CVSS 8.1
HIGH PATCH This Week

Zoho ManageEngine Active Directory 360 versions 4315 and below, ADAudit Plus 7202 and below, ADManager Plus 7200 and below, Asset Explorer 6993 and below and 7xxx 7002 and below, Cloud Security Plus. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

Microsoft Zoho Authentication Bypass +17
NVD
EPSS 5% CVSS 6.5
MEDIUM POC This Month

Zoho ManageEngine ADManager Plus version 7182 and prior disclosed the default passwords for the account restoration of unauthorized domains to the authenticated users. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Zoho Manageengine Admanager Plus
NVD GitHub
EPSS 2% CVSS 6.1
MEDIUM This Month

Zoho ManageEngine Applications Manager through 16530 allows reflected XSS while logged in. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Zoho Manageengine Applications Manager
NVD
EPSS 3% CVSS 7.5
HIGH POC This Week

The event analysis component in Zoho ManageEngine ADAudit Plus 7.1.1 allows an attacker to bypass audit detection by creating or renaming user accounts with a "$" symbol suffix. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Zoho Authentication Bypass Manageengine Adaudit Plus
NVD
EPSS 3% CVSS 6.5
MEDIUM This Month

Zoho ManageEngine ADManager Plus through 7201 allow authenticated users to take over another user's account via sensitive information disclosure. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Zoho Manageengine Admanager Plus
NVD
EPSS 1% CVSS 8.8
HIGH This Week

An issue was discovered in Zoho ManageEngine Network Configuration Manager 12.6.165. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Zoho Manageengine Network Configuration Manager
NVD
EPSS 2% CVSS 5.4
MEDIUM This Month

Zoho ManageEngine Support Center Plus 14001 and below is vulnerable to stored XSS in the products module. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Zoho Manageengine Supportcenter Plus
NVD
EPSS 2% CVSS 5.4
MEDIUM This Month

Zoho ManageEngine ADAudit Plus before 7100 allows XSS via the username field. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Zoho Manageengine Adaudit Plus
NVD
EPSS 4% CVSS 5.4
MEDIUM This Month

Zoho ManageEngine ServiceDesk Plus before 14202, ServiceDesk Plus MSP before 14300, and SupportCenter Plus before 14300 have a privilege escalation vulnerability in the Release module that allows. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Zoho Authentication Bypass +3
NVD
EPSS 3% CVSS 4.9
MEDIUM This Month

Zoho ManageEngine ADManager Plus before 7183 allows admin users to exploit an XXE issue to view files. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Zoho Manageengine Admanager Plus
NVD
EPSS 0% CVSS 6.1
MEDIUM POC This Month

The Catalyst Connect Zoho CRM Client Portal WordPress plugin before 2.1.0 does not sanitize and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Zoho +1
NVD WPScan
EPSS 6% CVSS 9.8
CRITICAL Act Now

Zoho ManageEngine ADSelfService Plus through 6113 has an authentication bypass that can be exploited to steal the domain controller session token for identity spoofing, thereby achieving the. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Zoho Authentication Bypass Manageengine Adselfservice Plus
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM POC This Month

The Integration for Contact Form 7 and Zoho CRM, Bigin WordPress plugin before 1.2.4 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi WordPress XSS +2
NVD WPScan
EPSS 0% CVSS 8.8
HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in CRM Perks Integration for Contact Form 7 and Zoho CRM, Bigin plugin <= 1.2.2 versions. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Zoho CSRF Integration For Contact Form 7 And Zoho Crm Bigin
NVD
EPSS 82% CVSS 8.8
HIGH This Week

Zoho ManageEngine OPManager through 126323 allows an authenticated user to achieve remote code execution via probe servers. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Zoho Manageengine Opmanager
NVD
EPSS 1% CVSS 7.8
HIGH POC This Week

Static credentials exist in the PostgreSQL data used in ManageEngine Access Manager Plus (AMP) build 4309, ManageEngine Password Manager Pro, and ManageEngine PAM360. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Zoho PostgreSQL Authentication Bypass +3
NVD
EPSS 3% CVSS 4.9
MEDIUM This Month

Zoho ManageEngine ServiceDesk Plus before 14105, ServiceDesk Plus MSP before 14200, SupportCenter Plus before 14200, and AssetExplorer before 6989 allow SDAdmin attackers to conduct XXE attacks via a. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Zoho Manageengine Assetexplorer +3
NVD
EPSS 9% CVSS 6.1
MEDIUM This Month

Zoho ManageEngine Applications Manager before 16400 allows proxy.html DOM XSS. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Zoho Manageengine Applications Manager
NVD
EPSS 98% CVSS 7.2
HIGH POC THREAT Act Now

Zoho ManageEngine ADManager Plus before 7181 allows for authenticated users to exploit command injection via Proxy settings. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Zoho Manageengine Admanager Plus
NVD GitHub
EPSS 99% CVSS 6.1
MEDIUM PATCH This Month

Stored Cross site scripting (XSS) vulnerability in Zoho ManageEngine Applications Manager through 16340 allows an unauthenticated user to inject malicious javascript on the incorrect login details. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Zoho Manageengine Applications Manager
NVD
EPSS 3% CVSS 6.5
MEDIUM PATCH This Month

Zoho ManageEngine Applications Manager through 16320 allows the admin user to conduct an XXE attack. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

XXE Zoho Manageengine Applications Manager
NVD
Page 1 of 6 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy