Skip to main content

Zoho

455 CVEs product

Monthly

CVE-2021-37762 CRITICAL Act Now

Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file overwrite leading to remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Zoho File Upload Manageengine Admanager Plus
NVD
CVSS 3.1
9.8
EPSS
7.8%
CVE-2021-33849 MEDIUM POC This Month

A Cross-Site Scripting (XSS) attack can cause arbitrary code (JavaScript) to run in a user’s browser while the browser is connected to a trusted website. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE XSS Zoho Zoho Crm Lead Magnet
NVD
CVSS 3.1
5.4
EPSS
1.0%
CVE-2021-41288 CRITICAL Act Now

Zoho ManageEngine OpManager version 125466 and below is vulnerable to SQL Injection in the getReportData API. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi Zoho Manageengine Opmanager
NVD
CVSS 3.1
9.8
EPSS
79.6%
CVE-2021-41829 HIGH POC This Week

Zoho ManageEngine Remote Access Plus before 10.1.2121.1 relies on the application's build number to calculate a certain encryption key. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Zoho Information Disclosure Manageengine Remote Access Plus
NVD
CVSS 3.1
7.5
EPSS
3.1%
CVE-2021-41828 HIGH POC This Week

Zoho ManageEngine Remote Access Plus before 10.1.2121.1 has hardcoded credentials associated with resetPWD.xml. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Zoho Authentication Bypass Manageengine Remote Access Plus
NVD
CVSS 3.1
7.5
EPSS
4.6%
CVE-2021-41827 HIGH POC This Week

Zoho ManageEngine Remote Access Plus before 10.1.2121.1 has hardcoded credentials for read-only access. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Zoho Authentication Bypass Manageengine Remote Access Plus
NVD
CVSS 3.1
7.5
EPSS
4.6%
CVE-2021-37761 CRITICAL Act Now

Zoho ManageEngine ADManager Plus version 7110 and prior is vulnerable to unrestricted file upload, leading to remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Zoho File Upload Manageengine Admanager Plus
NVD
CVSS 3.1
9.8
EPSS
9.2%
CVE-2021-37539 CRITICAL Act Now

Zoho ManageEngine ADManager Plus before 7111 is vulnerable to unrestricted file which leads to Remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Zoho File Upload Manageengine Admanager Plus
NVD
CVSS 3.1
9.8
EPSS
93.4%
CVE-2021-37927 CRITICAL Act Now

Zoho ManageEngine ADManager Plus version 7110 and prior allows account takeover via SSO. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Zoho Information Disclosure Jwt Attack Manageengine Admanager Plus
NVD
CVSS 3.1
9.8
EPSS
2.2%
CVE-2021-37925 CRITICAL Act Now

Zoho ManageEngine ADManager Plus version 7110 and prior has a Post-Auth OS command injection vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Zoho Command Injection Manageengine Admanager Plus
NVD
CVSS 3.1
9.8
EPSS
10.5%
CVE-2021-37741 HIGH This Week

ManageEngine ADManager Plus before 7111 has Pre-authentication RCE vulnerabilities. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Zoho File Upload Manageengine Admanager Plus
NVD
CVSS 3.1
8.8
EPSS
2.6%
CVE-2021-37424 CRITICAL PATCH Act Now

ManageEngine ADSelfService Plus before 6112 is vulnerable to domain user account takeover. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Zoho Information Disclosure Manageengine Admanager Plus
NVD
CVSS 3.1
9.8
EPSS
4.6%
CVE-2021-37420 MEDIUM POC PATCH This Month

Zoho ManageEngine ADSelfService Plus before 6112 is vulnerable to mail spoofing. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Zoho Authentication Bypass Manageengine Admanager Plus
NVD
CVSS 3.1
6.5
EPSS
1.9%
CVE-2021-37419 HIGH POC PATCH This Week

Zoho ManageEngine ADSelfService Plus before 6112 is vulnerable to SSRF. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Zoho SSRF Manageengine Admanager Plus
NVD
CVSS 3.1
7.5
EPSS
2.4%
CVE-2021-28960 CRITICAL Act Now

Zoho ManageEngine Desktop Central before build 10.0.683 allows unauthenticated command injection due to improper handling of an input command in on-demand operations. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Zoho Command Injection Desktop Central
NVD
CVSS 3.1
9.8
EPSS
2.0%
CVE-2021-37422 CRITICAL Act Now

Zoho ManageEngine ADSelfService Plus 6111 and prior is vulnerable to SQL Injection while linking the databases. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi Zoho Manageengine Adselfservice Plus
NVD
CVSS 3.1
9.8
EPSS
3.4%
CVE-2021-37423 CRITICAL Act Now

Zoho ManageEngine ADSelfService Plus 6111 and prior is vulnerable to linked applications takeover. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Zoho Information Disclosure Manageengine Adselfservice Plus
NVD
CVSS 3.1
9.8
EPSS
2.8%
CVE-2021-37414 HIGH This Week

Zoho ManageEngine DesktopCentral before 10.0.709 allows anyone to get a valid user's APIKEY without authentication. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Zoho Authentication Bypass Manageengine Desktop Central
NVD
CVSS 3.1
7.5
EPSS
5.2%
CVE-2021-40539 CRITICAL POC KEV PATCH THREAT Act Now

Zoho ManageEngine ADSelfService Plus version 6113 and prior is vulnerable to REST API authentication bypass with resultant remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE Zoho Authentication Bypass Manageengine Adselfservice Plus
NVD
CVSS 3.1
9.8
EPSS
99.0%
CVE-2021-37415 CRITICAL POC KEV THREAT Act Now

Zoho ManageEngine ServiceDesk Plus before 11302 is vulnerable to authentication bypass that allows a few REST-API URLs without authentication. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Zoho Authentication Bypass Manageengine Servicedesk Plus
NVD
CVSS 3.1
9.8
EPSS
99.9%
CVE-2021-37421 CRITICAL Act Now

Zoho ManageEngine ADSelfService Plus 6103 and prior is vulnerable to admin portal access-restriction bypass. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Zoho Authentication Bypass Manageengine Adselfservice Plus
NVD
CVSS 3.1
9.8
EPSS
2.5%
CVE-2021-37417 CRITICAL Act Now

Zoho ManageEngine ADSelfService Plus version 6103 and prior allows CAPTCHA bypass due to improper parameter validation. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Zoho Authentication Bypass Manageengine Adselfservice Plus
NVD
CVSS 3.1
9.8
EPSS
4.8%
CVE-2021-37416 MEDIUM POC This Month

Zoho ManageEngine ADSelfService Plus version 6103 and prior is vulnerable to reflected XSS on the loadframe page. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Zoho Manageengine Adselfservice Plus
NVD
CVSS 3.1
6.1
EPSS
2.9%
CVE-2021-33055 CRITICAL PATCH Act Now

Zoho ManageEngine ADSelfService Plus through 6102 allows unauthenticated remote code execution in non-English editions. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This OS Command Injection vulnerability could allow attackers to execute arbitrary operating system commands on the host.

Zoho RCE Command Injection Manageengine Adselfservice Plus
NVD
CVSS 3.1
9.8
EPSS
18.1%
CVE-2021-40178 MEDIUM This Month

Zoho ManageEngine Log360 before Build 5224 allows stored XSS via the LOGO_PATH key value in the logon settings. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Zoho Manageengine Log360
NVD
CVSS 3.1
6.1
EPSS
0.8%
CVE-2021-40177 CRITICAL Act Now

Zoho ManageEngine Log360 before Build 5225 allows remote code execution via BCP file overwrite. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Zoho Manageengine Log360
NVD
CVSS 3.1
9.8
EPSS
4.6%
CVE-2021-40176 MEDIUM This Month

Zoho ManageEngine Log360 before Build 5225 allows stored XSS. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Zoho Manageengine Log360
NVD
CVSS 3.1
6.1
EPSS
0.8%
CVE-2021-40175 CRITICAL Act Now

Zoho ManageEngine Log360 before Build 5219 allows unrestricted file upload with resultant remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Zoho File Upload Manageengine Log360
NVD
CVSS 3.1
9.8
EPSS
7.0%
CVE-2021-40174 HIGH This Week

Zoho ManageEngine Log360 before Build 5224 allows a CSRF attack for disabling the logon security settings. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Zoho Manageengine Log360
NVD
CVSS 3.1
8.8
EPSS
1.0%
CVE-2021-40173 HIGH This Week

Zoho ManageEngine Cloud Security Plus before Build 4117 allows a CSRF attack on the server proxy settings. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Zoho Manageengine Cloud Security Plus
NVD
CVSS 3.1
8.8
EPSS
1.0%
CVE-2021-40172 HIGH This Week

Zoho ManageEngine Log360 before Build 5219 allows a CSRF attack on proxy settings. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Zoho Manageengine Log360
NVD
CVSS 3.1
8.8
EPSS
1.0%
CVE-2021-33256 HIGH POC THREAT This Week

A CSV injection vulnerability on the login panel of ManageEngine ADSelfService Plus Version: 6.1 Build No: 6101 can be exploited by an unauthenticated user. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Zoho Code Injection Manageengine Adselfservice Plus
NVD
CVSS 3.1
8.8
EPSS
79.0%
CVE-2021-33617 MEDIUM POC This Month

Zoho ManageEngine Password Manager Pro before 11.2 11200 allows login/AjaxResponse.jsp?RequestType=GetUserDomainName&userName= username enumeration, because the response (to a failed login request). Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Zoho Information Disclosure Manageengine Password Manager Pro
NVD
CVSS 3.1
5.3
EPSS
2.1%
CVE-2021-36772 MEDIUM This Month

Zoho ManageEngine ADManager Plus before 7110 allows stored XSS. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Zoho Manageengine Admanager Plus
NVD
CVSS 3.1
6.1
EPSS
0.9%
CVE-2021-36771 MEDIUM This Month

Zoho ManageEngine ADManager Plus before 7110 allows reflected XSS. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Zoho Manageengine Admanager Plus
NVD
CVSS 3.1
6.1
EPSS
0.9%
CVE-2021-33911 CRITICAL Act Now

Zoho ManageEngine ADManager Plus before 7110 allows remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Zoho Manageengine Admanager Plus
NVD
CVSS 3.1
9.8
EPSS
5.3%
CVE-2021-31874 MEDIUM POC This Month

Zoho ManageEngine ADSelfService Plus before 6104, in rare situations, allows attackers to obtain sensitive information about the password-sync database application. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Zoho Information Disclosure Manageengine Adselfservice Plus
NVD
CVSS 3.1
5.9
EPSS
4.3%
CVE-2021-31813 MEDIUM POC THREAT This Month

Zoho ManageEngine Applications Manager before 15130 is vulnerable to Stored XSS while importing malicious user details (e.g., a crafted user name) from AD. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Zoho Manageengine Applications Manager
NVD
CVSS 3.1
5.4
EPSS
78.3%
CVE-2021-31531 CRITICAL Act Now

Zoho ManageEngine ServiceDesk Plus MSP before 10521 is vulnerable to Server-Side Request Forgery (SSRF). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Zoho SSRF Manageengine Servicedesk Plus Msp
NVD
CVSS 3.1
9.8
EPSS
2.4%
CVE-2021-31530 HIGH This Week

Zoho ManageEngine ServiceDesk Plus MSP before 10522 is vulnerable to Information Disclosure. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Zoho Information Disclosure Manageengine Servicedesk Plus Msp
NVD
CVSS 3.1
7.5
EPSS
2.8%
CVE-2021-31160 HIGH This Week

Zoho ManageEngine ServiceDesk Plus MSP before 10521 allows an attacker to access internal data. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Zoho Information Disclosure Manageengine Servicedesk Plus Manageengine Servicedesk Plus Msp
NVD
CVSS 3.1
7.5
EPSS
3.5%
CVE-2021-28958 CRITICAL Act Now

Zoho ManageEngine ADSelfService Plus through 6101 is vulnerable to unauthenticated Remote Code Execution while changing the password. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Zoho RCE Command Injection Manageengine Adselfservice Plus
NVD
CVSS 3.1
9.8
EPSS
73.1%
CVE-2021-31857 MEDIUM This Month

In Zoho ManageEngine Password Manager Pro before 11.1 build 11104, attackers are able to retrieve credentials via a browser extension for non-website resource types. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Zoho Information Disclosure Manageengine Password Manager Pro
NVD
CVSS 3.1
5.9
EPSS
2.7%
CVE-2021-31159 MEDIUM POC THREAT This Month

Zoho ManageEngine ServiceDesk Plus MSP before 10519 is vulnerable to a User Enumeration bug due to improper error-message generation in the Forgot Password functionality, aka SDPMSP-15732. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Zoho Information Disclosure Manageengine Servicedesk Plus Msp
NVD GitHub Exploit-DB
CVSS 3.1
5.3
EPSS
17.8%
CVE-2021-20081 HIGH POC THREAT This Week

Incomplete List of Disallowed Inputs in ManageEngine ServiceDesk Plus before version 11205 allows a remote, authenticated attacker to execute arbitrary commands with SYSTEM privileges. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Zoho Information Disclosure Manageengine Servicedesk Plus
NVD
CVSS 3.1
7.2
EPSS
52.4%
CVE-2021-28382 MEDIUM POC This Month

Zoho ManageEngine Key Manager Plus before 6001 allows Stored XSS on the user-management page while importing malicious user details from AD. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Zoho Manageengine Key Manager Plus
NVD
CVSS 3.1
5.4
EPSS
1.2%
CVE-2021-27956 MEDIUM POC This Month

Zoho ManageEngine ADSelfService Plus before 6104 allows stored XSS on the /webclient/index.html#/directory-search user search page via the e-mail address field. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Zoho Manageengine Adselfservice Plus
NVD
CVSS 3.1
6.1
EPSS
1.6%
CVE-2021-28959 CRITICAL Act Now

Zoho ManageEngine Eventlog Analyzer through 12147 is vulnerable to unauthenticated directory traversal via an entry in a ZIP archive. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Path Traversal Zoho Manageengine Eventlog Analyzer
NVD
CVSS 3.1
9.8
EPSS
16.9%
CVE-2021-3287 CRITICAL POC THREAT Emergency

Zoho ManageEngine OpManager before 12.5.329 allows unauthenticated Remote Code Execution due to a general bypass in the deserialization class. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization RCE Zoho Manageengine Opmanager
NVD
CVSS 3.1
9.8
EPSS
51.3%
CVE-2021-20080 MEDIUM POC THREAT This Month

Insufficient output sanitization in ManageEngine ServiceDesk Plus before version 11200 and ManageEngine AssetExplorer before version 6800 allows a remote, unauthenticated attacker to conduct. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Zoho Manageengine Servicedesk Plus
NVD
CVSS 3.1
6.1
EPSS
93.1%
CVE-2021-27214 MEDIUM POC This Month

A Server-side request forgery (SSRF) vulnerability in the ProductConfig servlet in Zoho ManageEngine ADSelfService Plus through 6013 allows a remote unauthenticated attacker to perform blind HTTP. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF XSS Zoho Manageengine Adselfservice Plus
NVD
CVSS 3.1
6.1
EPSS
2.0%
CVE-2020-27995 CRITICAL Act Now

SQL Injection in Zoho ManageEngine Applications Manager 14 before 14560 allows an attacker to execute commands on the server via the MyPage.do template_resid parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Zoho SQLi Manageengine Applications Manager
NVD
CVSS 3.1
9.8
EPSS
8.7%
CVE-2020-10816 HIGH This Week

Zoho ManageEngine Applications Manager 14780 and before allows a remote unauthenticated attacker to register managed servers via AAMRequestProcessor servlet. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Zoho Authentication Bypass Manageengine Applications Manager
NVD
CVSS 3.1
7.5
EPSS
4.8%
CVE-2020-16267 HIGH This Week

Zoho ManageEngine Applications Manager version 14740 and prior allows an authenticated SQL Injection via a crafted jsp request in the RCA module. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Zoho SQLi Manageengine Applications Manager
NVD
CVSS 3.1
8.8
EPSS
43.3%
CVE-2020-15927 HIGH This Week

Zoho ManageEngine Applications Manager version 14740 and prior allows an authenticated SQL Injection via a crafted jsp request in the SAP module. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Zoho SQLi SAP Manageengine Applications Manager
NVD
CVSS 3.1
8.8
EPSS
40.3%
CVE-2020-24397 HIGH This Week

An issue was discovered in the client side of Zoho ManageEngine Desktop Central 10.0.0.SP-534. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Buffer Overflow Zoho RCE Integer Overflow Manageengine Desktop Central
NVD
CVSS 3.1
7.2
EPSS
27.8%
CVE-2020-15589 HIGH This Week

A design issue was discovered in GetInternetRequestHandle, InternetSendRequestEx and InternetSendRequestByBitrate in the client side of Zoho ManageEngine Desktop Central 10.0.552.W and Remote Access. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Zoho RCE Manageengine Desktop Central Manageengine Remote Access Plus
NVD
CVSS 3.1
8.1
EPSS
8.3%
CVE-2020-15533 CRITICAL Act Now

In Zoho ManageEngine Application Manager 14.7 Build 14730 (before 14684, and between 14689 and 14750), the AlarmEscalation module is vulnerable to unauthenticated SQL Injection attack. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Zoho SQLi Manageengine Applications Manager
NVD
CVSS 3.1
9.8
EPSS
4.2%
CVE-2020-15595 MEDIUM POC This Month

An issue was discovered in Zoho Application Control Plus before version 10.0.511. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Zoho Information Disclosure Manageengine Application Control Plus
NVD
CVSS 3.1
4.3
EPSS
2.2%
CVE-2020-15594 MEDIUM This Month

An SSRF issue was discovered in Zoho Application Control Plus before version 10.0.511. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Zoho SSRF Manageengine Application Control Plus
NVD
CVSS 3.1
4.3
EPSS
1.8%
CVE-2018-5353 CRITICAL POC Act Now

The custom GINA/CP module in Zoho ManageEngine ADSelfService Plus before 5.5 build 5517 allows remote attackers to execute code and escalate privileges via spoofing. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Zoho Manageengine Adselfservice Plus
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
8.1%
CVE-2020-15521 MEDIUM This Month

Zoho ManageEngine Applications Manager before 14 build 14730 has no protection against jsp/header.jsp Cross-site Scripting (XSS) . Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Zoho Manageengine Applications Manager
NVD
CVSS 3.1
6.1
EPSS
1.7%
CVE-2020-15394 CRITICAL Act Now

The REST API in Zoho ManageEngine Applications Manager before build 14740 allows an unauthenticated SQL Injection via a crafted request, leading to Remote Code Execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Zoho SQLi RCE Manageengine Applications Manager
NVD
CVSS 3.1
9.8
EPSS
7.9%
CVE-2020-14008 HIGH POC THREAT This Week

Zoho ManageEngine Applications Manager 14710 and before allows an authenticated admin user to upload a vulnerable jar in a specific location, which leads to remote code execution. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload Zoho RCE Manageengine Applications Manager
NVD Exploit-DB
CVSS 3.1
7.2
EPSS
35.8%
CVE-2020-24786 CRITICAL Act Now

An issue was discovered in Zoho ManageEngine Exchange Reporter Plus before build number 5510, AD360 before build number 4228, ADSelfService Plus before build number 5817, DataSecurity Plus before. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java Zoho Microsoft Authentication Bypass Manageengine Adselfservice Plus +10
NVD
CVSS 3.1
9.8
EPSS
12.8%
CVE-2020-11552 CRITICAL POC Act Now

An elevation of privilege vulnerability exists in ManageEngine ADSelfService Plus before build 6003 because it does not properly enforce user privileges associated with a Certificate dialog. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Zoho Privilege Escalation Microsoft Manageengine Adselfservice Plus
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
7.4%
CVE-2020-15588 CRITICAL Act Now

An issue was discovered in the client side of Zoho ManageEngine Desktop Central 10.0.552.W. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Zoho RCE Integer Overflow Manageengine Desktop Central
NVD
CVSS 3.1
9.8
EPSS
12.7%
CVE-2020-14048 HIGH This Week

Zoho ManageEngine ServiceDesk Plus before 11.1 build 11115 allows remote unauthenticated attackers to change the installation status of deployed agents. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Zoho Authentication Bypass Manageengine Servicedesk Plus
NVD
CVSS 3.1
7.5
EPSS
4.8%
CVE-2020-13818 HIGH This Week

In Zoho ManageEngine OpManager before 125144, when <cachestart> is used, directory traversal validation can be bypassed. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Zoho Path Traversal Manageengine Opmanager
NVD
CVSS 3.1
7.5
EPSS
37.0%
CVE-2020-13154 MEDIUM POC This Month

Zoho ManageEngine Service Plus before 11.1 build 11112 allows low-privilege authenticated users to discover the File Protection password via a getFileProtectionSettings call to AjaxServlet. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Zoho Authentication Bypass Manageengine Servicedesk Plus
NVD
CVSS 3.1
6.5
EPSS
3.1%
CVE-2020-11532 CRITICAL POC PATCH THREAT Act Now

Zoho ManageEngine DataSecurity Plus prior to 6.0.1 uses default admin credentials to communicate with a DataEngine Xnode server. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Zoho Authentication Bypass Manageengine Adaudit Plus Manageengine Datasecurity Plus
NVD
CVSS 3.1
9.8
EPSS
77.5%
CVE-2020-11531 HIGH POC THREAT This Week

The DataEngine Xnode Server application in Zoho ManageEngine DataSecurity Plus prior to 6.0.1 does not validate the database schema name when handling a DR-SCHEMA-SYNC request. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Zoho Path Traversal Manageengine Adaudit Plus Manageengine Datasecurity Plus
NVD
CVSS 3.1
8.8
EPSS
13.7%
CVE-2020-12116 HIGH POC THREAT This Week

Zoho ManageEngine OpManager Stable build before 124196 and Released build before 125125 allows an unauthenticated attacker to read arbitrary files on the server by sending a crafted request. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Zoho Path Traversal Manageengine Opmanager
NVD
CVSS 3.1
7.5
EPSS
97.4%
CVE-2020-10859 MEDIUM This Month

Zoho ManageEngine Desktop Central before 10.0.484 allows authenticated arbitrary file writes during ZIP archive extraction via Directory Traversal in a crafted AppDependency API request. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Zoho Path Traversal Manageengine Desktop Central
NVD
CVSS 3.1
6.5
EPSS
4.4%
CVE-2020-11946 HIGH This Week

Zoho ManageEngine OpManager before 125120 allows an unauthenticated user to retrieve an API key via a servlet call. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Zoho Authentication Bypass Manageengine Opmanager
NVD
CVSS 3.1
7.5
EPSS
51.8%
CVE-2020-11527 HIGH This Week

In Zoho ManageEngine OpManager before 12.4.181, an unauthenticated remote attacker can send a specially crafted URI to read arbitrary files. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Zoho Information Disclosure Manageengine Opmanager
NVD
CVSS 3.1
7.5
EPSS
9.5%
CVE-2020-11518 CRITICAL Act Now

Zoho ManageEngine ADSelfService Plus before 5815 allows unauthenticated remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Zoho RCE Manageengine Adselfservice Plus
NVD
CVSS 3.1
9.8
EPSS
18.8%
CVE-2020-8509 HIGH This Week

Zoho ManageEngine Desktop Central before 10.0.483 allows unauthenticated users to access PDFGenerationServlet, leading to sensitive information disclosure. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Zoho Authentication Bypass Information Disclosure Manageengine Desktop Central
NVD
CVSS 3.1
7.5
EPSS
10.4%
CVE-2020-8838 MEDIUM POC This Month

An issue was discovered in Zoho ManageEngine AssetExplorer 6.5. Rated medium severity (CVSS 6.4). Public exploit code available and no vendor patch available.

Zoho Microsoft RCE Manageengine Assetexplorer
NVD
CVSS 3.1
6.4
EPSS
1.6%
CVE-2020-9347 CRITICAL Act Now

Zoho ManageEngine Password Manager Pro through 10.x has a CSV Excel Macro Injection vulnerability via a crafted name that is mishandled by the Export Passwords feature. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Zoho Code Injection Manageengine Password Manager Pro
NVD
CVSS 3.1
9.8
EPSS
7.8%
CVE-2020-9346 HIGH This Week

Zoho ManageEngine Password Manager Pro 10.4 and prior has no protection against Cross-site Request Forgery (CSRF) attacks, as demonstrated by changing a user's role. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Zoho CSRF Manageengine Password Manager Pro
NVD
CVSS 3.1
8.8
EPSS
2.5%
CVE-2020-10541 CRITICAL Act Now

Zoho ManageEngine OpManager before 12.4.179 allows remote code execution via a specially crafted Mail Server Settings v1 API request. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Zoho RCE Manageengine Opmanager
NVD
CVSS 3.1
9.8
EPSS
10.1%
CVE-2020-8540 CRITICAL Act Now

An XML external entity (XXE) vulnerability in Zoho ManageEngine Desktop Central before the 07-Mar-2020 update allows remote unauthenticated users to read arbitrary files or conduct server-side. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Zoho SSRF XXE Manageengine Desktop Central
NVD
CVSS 3.1
9.8
EPSS
12.5%
CVE-2020-8422 MEDIUM This Month

An authorization issue was discovered in the Credential Manager feature in Zoho ManageEngine Remote Access Plus before 10.0.450. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Zoho Information Disclosure Manageengine Remote Access Plus
NVD
CVSS 3.1
4.3
EPSS
1.4%
CVE-2020-6843 MEDIUM POC This Month

Zoho ManageEngine ServiceDesk Plus 11.0 Build 11007 allows XSS. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Zoho Manageengine Servicedesk Plus
NVD
CVSS 3.1
4.8
EPSS
2.4%
CVE-2019-7162 CRITICAL Act Now

An issue was discovered in Zoho ManageEngine ADSelfService Plus 5.6 Build 5607. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Zoho Information Disclosure Manageengine Adselfservice Plus
NVD
CVSS 3.1
9.1
EPSS
4.0%
CVE-2019-18781 MEDIUM This Month

An open redirect vulnerability was discovered in Zoho ManageEngine ADSelfService Plus 5.x before 5809 that allows attackers to force users who click on a crafted link to be sent to a specified. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Zoho Open Redirect Manageengine Adselfservice Plus
NVD
CVSS 3.1
6.1
EPSS
1.8%
CVE-2019-19774 HIGH POC THREAT This Week

An issue was discovered in Zoho ManageEngine EventLog Analyzer 10.0 SP1 before Build 12110. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Zoho Manageengine Eventlog Analyzer
NVD GitHub Exploit-DB
CVSS 3.1
8.8
EPSS
12.5%
CVE-2019-19650 HIGH This Week

Zoho ManageEngine Applications Manager before 13640 allows a remote authenticated SQL injection via the Agent servlet agentid parameter to the Agent.java process function. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Java Zoho Manageengine Applications Manager
NVD
CVSS 3.1
8.8
EPSS
5.7%
CVE-2019-19649 CRITICAL Act Now

Zoho ManageEngine Applications Manager before 13620 allows a remote unauthenticated SQL injection via the SyncEventServlet eventid parameter to the SyncEventServlet.java doGet function. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi Java Zoho Manageengine Applications Manager
NVD
CVSS 3.1
9.8
EPSS
9.5%
EPSS 8% CVSS 9.8
CRITICAL Act Now

Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file overwrite leading to remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Zoho File Upload +1
NVD
EPSS 1% CVSS 5.4
MEDIUM POC This Month

A Cross-Site Scripting (XSS) attack can cause arbitrary code (JavaScript) to run in a user’s browser while the browser is connected to a trusted website. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE XSS Zoho +1
NVD
EPSS 80% CVSS 9.8
CRITICAL Act Now

Zoho ManageEngine OpManager version 125466 and below is vulnerable to SQL Injection in the getReportData API. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi Zoho Manageengine Opmanager
NVD
EPSS 3% CVSS 7.5
HIGH POC This Week

Zoho ManageEngine Remote Access Plus before 10.1.2121.1 relies on the application's build number to calculate a certain encryption key. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Zoho Information Disclosure Manageengine Remote Access Plus
NVD
EPSS 5% CVSS 7.5
HIGH POC This Week

Zoho ManageEngine Remote Access Plus before 10.1.2121.1 has hardcoded credentials associated with resetPWD.xml. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Zoho Authentication Bypass Manageengine Remote Access Plus
NVD
EPSS 5% CVSS 7.5
HIGH POC This Week

Zoho ManageEngine Remote Access Plus before 10.1.2121.1 has hardcoded credentials for read-only access. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Zoho Authentication Bypass Manageengine Remote Access Plus
NVD
EPSS 9% CVSS 9.8
CRITICAL Act Now

Zoho ManageEngine ADManager Plus version 7110 and prior is vulnerable to unrestricted file upload, leading to remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Zoho File Upload +1
NVD
EPSS 93% CVSS 9.8
CRITICAL Act Now

Zoho ManageEngine ADManager Plus before 7111 is vulnerable to unrestricted file which leads to Remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Zoho File Upload +1
NVD
EPSS 2% CVSS 9.8
CRITICAL Act Now

Zoho ManageEngine ADManager Plus version 7110 and prior allows account takeover via SSO. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Zoho Information Disclosure Jwt Attack +1
NVD
EPSS 10% CVSS 9.8
CRITICAL Act Now

Zoho ManageEngine ADManager Plus version 7110 and prior has a Post-Auth OS command injection vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Zoho Command Injection Manageengine Admanager Plus
NVD
EPSS 3% CVSS 8.8
HIGH This Week

ManageEngine ADManager Plus before 7111 has Pre-authentication RCE vulnerabilities. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Zoho File Upload Manageengine Admanager Plus
NVD
EPSS 5% CVSS 9.8
CRITICAL PATCH Act Now

ManageEngine ADSelfService Plus before 6112 is vulnerable to domain user account takeover. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Zoho Information Disclosure Manageengine Admanager Plus
NVD
EPSS 2% CVSS 6.5
MEDIUM POC PATCH This Month

Zoho ManageEngine ADSelfService Plus before 6112 is vulnerable to mail spoofing. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Zoho Authentication Bypass Manageengine Admanager Plus
NVD
EPSS 2% CVSS 7.5
HIGH POC PATCH This Week

Zoho ManageEngine ADSelfService Plus before 6112 is vulnerable to SSRF. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Zoho SSRF Manageengine Admanager Plus
NVD
EPSS 2% CVSS 9.8
CRITICAL Act Now

Zoho ManageEngine Desktop Central before build 10.0.683 allows unauthenticated command injection due to improper handling of an input command in on-demand operations. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Zoho Command Injection Desktop Central
NVD
EPSS 3% CVSS 9.8
CRITICAL Act Now

Zoho ManageEngine ADSelfService Plus 6111 and prior is vulnerable to SQL Injection while linking the databases. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi Zoho Manageengine Adselfservice Plus
NVD
EPSS 3% CVSS 9.8
CRITICAL Act Now

Zoho ManageEngine ADSelfService Plus 6111 and prior is vulnerable to linked applications takeover. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Zoho Information Disclosure Manageengine Adselfservice Plus
NVD
EPSS 5% CVSS 7.5
HIGH This Week

Zoho ManageEngine DesktopCentral before 10.0.709 allows anyone to get a valid user's APIKEY without authentication. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Zoho Authentication Bypass Manageengine Desktop Central
NVD
EPSS 99% CVSS 9.8
CRITICAL POC KEV PATCH THREAT Act Now

Zoho ManageEngine ADSelfService Plus version 6113 and prior is vulnerable to REST API authentication bypass with resultant remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE Zoho Authentication Bypass +1
NVD
EPSS 100% CVSS 9.8
CRITICAL POC KEV THREAT Act Now

Zoho ManageEngine ServiceDesk Plus before 11302 is vulnerable to authentication bypass that allows a few REST-API URLs without authentication. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Zoho Authentication Bypass Manageengine Servicedesk Plus
NVD
EPSS 2% CVSS 9.8
CRITICAL Act Now

Zoho ManageEngine ADSelfService Plus 6103 and prior is vulnerable to admin portal access-restriction bypass. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Zoho Authentication Bypass Manageengine Adselfservice Plus
NVD
EPSS 5% CVSS 9.8
CRITICAL Act Now

Zoho ManageEngine ADSelfService Plus version 6103 and prior allows CAPTCHA bypass due to improper parameter validation. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Zoho Authentication Bypass Manageengine Adselfservice Plus
NVD
EPSS 3% CVSS 6.1
MEDIUM POC This Month

Zoho ManageEngine ADSelfService Plus version 6103 and prior is vulnerable to reflected XSS on the loadframe page. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Zoho Manageengine Adselfservice Plus
NVD
EPSS 18% CVSS 9.8
CRITICAL PATCH Act Now

Zoho ManageEngine ADSelfService Plus through 6102 allows unauthenticated remote code execution in non-English editions. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This OS Command Injection vulnerability could allow attackers to execute arbitrary operating system commands on the host.

Zoho RCE Command Injection +1
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

Zoho ManageEngine Log360 before Build 5224 allows stored XSS via the LOGO_PATH key value in the logon settings. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Zoho Manageengine Log360
NVD
EPSS 5% CVSS 9.8
CRITICAL Act Now

Zoho ManageEngine Log360 before Build 5225 allows remote code execution via BCP file overwrite. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Zoho Manageengine Log360
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

Zoho ManageEngine Log360 before Build 5225 allows stored XSS. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Zoho Manageengine Log360
NVD
EPSS 7% CVSS 9.8
CRITICAL Act Now

Zoho ManageEngine Log360 before Build 5219 allows unrestricted file upload with resultant remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Zoho File Upload +1
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Zoho ManageEngine Log360 before Build 5224 allows a CSRF attack for disabling the logon security settings. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Zoho Manageengine Log360
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Zoho ManageEngine Cloud Security Plus before Build 4117 allows a CSRF attack on the server proxy settings. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Zoho Manageengine Cloud Security Plus
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Zoho ManageEngine Log360 before Build 5219 allows a CSRF attack on proxy settings. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Zoho Manageengine Log360
NVD
EPSS 79% CVSS 8.8
HIGH POC THREAT This Week

A CSV injection vulnerability on the login panel of ManageEngine ADSelfService Plus Version: 6.1 Build No: 6101 can be exploited by an unauthenticated user. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Zoho Code Injection Manageengine Adselfservice Plus
NVD
EPSS 2% CVSS 5.3
MEDIUM POC This Month

Zoho ManageEngine Password Manager Pro before 11.2 11200 allows login/AjaxResponse.jsp?RequestType=GetUserDomainName&userName= username enumeration, because the response (to a failed login request). Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Zoho Information Disclosure Manageengine Password Manager Pro
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

Zoho ManageEngine ADManager Plus before 7110 allows stored XSS. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Zoho Manageengine Admanager Plus
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

Zoho ManageEngine ADManager Plus before 7110 allows reflected XSS. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Zoho Manageengine Admanager Plus
NVD
EPSS 5% CVSS 9.8
CRITICAL Act Now

Zoho ManageEngine ADManager Plus before 7110 allows remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Zoho Manageengine Admanager Plus
NVD
EPSS 4% CVSS 5.9
MEDIUM POC This Month

Zoho ManageEngine ADSelfService Plus before 6104, in rare situations, allows attackers to obtain sensitive information about the password-sync database application. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Zoho Information Disclosure Manageengine Adselfservice Plus
NVD
EPSS 78% CVSS 5.4
MEDIUM POC THREAT This Month

Zoho ManageEngine Applications Manager before 15130 is vulnerable to Stored XSS while importing malicious user details (e.g., a crafted user name) from AD. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Zoho Manageengine Applications Manager
NVD
EPSS 2% CVSS 9.8
CRITICAL Act Now

Zoho ManageEngine ServiceDesk Plus MSP before 10521 is vulnerable to Server-Side Request Forgery (SSRF). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Zoho SSRF Manageengine Servicedesk Plus Msp
NVD
EPSS 3% CVSS 7.5
HIGH This Week

Zoho ManageEngine ServiceDesk Plus MSP before 10522 is vulnerable to Information Disclosure. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Zoho Information Disclosure Manageengine Servicedesk Plus Msp
NVD
EPSS 4% CVSS 7.5
HIGH This Week

Zoho ManageEngine ServiceDesk Plus MSP before 10521 allows an attacker to access internal data. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Zoho Information Disclosure Manageengine Servicedesk Plus +1
NVD
EPSS 73% CVSS 9.8
CRITICAL Act Now

Zoho ManageEngine ADSelfService Plus through 6101 is vulnerable to unauthenticated Remote Code Execution while changing the password. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Zoho RCE Command Injection +1
NVD
EPSS 3% CVSS 5.9
MEDIUM This Month

In Zoho ManageEngine Password Manager Pro before 11.1 build 11104, attackers are able to retrieve credentials via a browser extension for non-website resource types. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Zoho Information Disclosure Manageengine Password Manager Pro
NVD
EPSS 18% CVSS 5.3
MEDIUM POC THREAT This Month

Zoho ManageEngine ServiceDesk Plus MSP before 10519 is vulnerable to a User Enumeration bug due to improper error-message generation in the Forgot Password functionality, aka SDPMSP-15732. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Zoho Information Disclosure Manageengine Servicedesk Plus Msp
NVD GitHub Exploit-DB
EPSS 52% CVSS 7.2
HIGH POC THREAT This Week

Incomplete List of Disallowed Inputs in ManageEngine ServiceDesk Plus before version 11205 allows a remote, authenticated attacker to execute arbitrary commands with SYSTEM privileges. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Zoho Information Disclosure Manageengine Servicedesk Plus
NVD
EPSS 1% CVSS 5.4
MEDIUM POC This Month

Zoho ManageEngine Key Manager Plus before 6001 allows Stored XSS on the user-management page while importing malicious user details from AD. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Zoho Manageengine Key Manager Plus
NVD
EPSS 2% CVSS 6.1
MEDIUM POC This Month

Zoho ManageEngine ADSelfService Plus before 6104 allows stored XSS on the /webclient/index.html#/directory-search user search page via the e-mail address field. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Zoho Manageengine Adselfservice Plus
NVD
EPSS 17% CVSS 9.8
CRITICAL Act Now

Zoho ManageEngine Eventlog Analyzer through 12147 is vulnerable to unauthenticated directory traversal via an entry in a ZIP archive. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Path Traversal Zoho +1
NVD
EPSS 51% CVSS 9.8
CRITICAL POC THREAT Emergency

Zoho ManageEngine OpManager before 12.5.329 allows unauthenticated Remote Code Execution due to a general bypass in the deserialization class. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization RCE Zoho +1
NVD
EPSS 93% CVSS 6.1
MEDIUM POC THREAT This Month

Insufficient output sanitization in ManageEngine ServiceDesk Plus before version 11200 and ManageEngine AssetExplorer before version 6800 allows a remote, unauthenticated attacker to conduct. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Zoho Manageengine Servicedesk Plus
NVD
EPSS 2% CVSS 6.1
MEDIUM POC This Month

A Server-side request forgery (SSRF) vulnerability in the ProductConfig servlet in Zoho ManageEngine ADSelfService Plus through 6013 allows a remote unauthenticated attacker to perform blind HTTP. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF XSS Zoho +1
NVD
EPSS 9% CVSS 9.8
CRITICAL Act Now

SQL Injection in Zoho ManageEngine Applications Manager 14 before 14560 allows an attacker to execute commands on the server via the MyPage.do template_resid parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Zoho SQLi Manageengine Applications Manager
NVD
EPSS 5% CVSS 7.5
HIGH This Week

Zoho ManageEngine Applications Manager 14780 and before allows a remote unauthenticated attacker to register managed servers via AAMRequestProcessor servlet. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Zoho Authentication Bypass Manageengine Applications Manager
NVD
EPSS 43% CVSS 8.8
HIGH This Week

Zoho ManageEngine Applications Manager version 14740 and prior allows an authenticated SQL Injection via a crafted jsp request in the RCA module. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Zoho SQLi Manageengine Applications Manager
NVD
EPSS 40% CVSS 8.8
HIGH This Week

Zoho ManageEngine Applications Manager version 14740 and prior allows an authenticated SQL Injection via a crafted jsp request in the SAP module. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Zoho SQLi SAP +1
NVD
EPSS 28% CVSS 7.2
HIGH This Week

An issue was discovered in the client side of Zoho ManageEngine Desktop Central 10.0.0.SP-534. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Buffer Overflow Zoho RCE +2
NVD
EPSS 8% CVSS 8.1
HIGH This Week

A design issue was discovered in GetInternetRequestHandle, InternetSendRequestEx and InternetSendRequestByBitrate in the client side of Zoho ManageEngine Desktop Central 10.0.552.W and Remote Access. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Zoho RCE Manageengine Desktop Central +1
NVD
EPSS 4% CVSS 9.8
CRITICAL Act Now

In Zoho ManageEngine Application Manager 14.7 Build 14730 (before 14684, and between 14689 and 14750), the AlarmEscalation module is vulnerable to unauthenticated SQL Injection attack. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Zoho SQLi Manageengine Applications Manager
NVD
EPSS 2% CVSS 4.3
MEDIUM POC This Month

An issue was discovered in Zoho Application Control Plus before version 10.0.511. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Zoho Information Disclosure Manageengine Application Control Plus
NVD
EPSS 2% CVSS 4.3
MEDIUM This Month

An SSRF issue was discovered in Zoho Application Control Plus before version 10.0.511. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Zoho SSRF Manageengine Application Control Plus
NVD
EPSS 8% CVSS 9.8
CRITICAL POC Act Now

The custom GINA/CP module in Zoho ManageEngine ADSelfService Plus before 5.5 build 5517 allows remote attackers to execute code and escalate privileges via spoofing. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Zoho Manageengine Adselfservice Plus
NVD GitHub VulDB
EPSS 2% CVSS 6.1
MEDIUM This Month

Zoho ManageEngine Applications Manager before 14 build 14730 has no protection against jsp/header.jsp Cross-site Scripting (XSS) . Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Zoho Manageengine Applications Manager
NVD
EPSS 8% CVSS 9.8
CRITICAL Act Now

The REST API in Zoho ManageEngine Applications Manager before build 14740 allows an unauthenticated SQL Injection via a crafted request, leading to Remote Code Execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Zoho SQLi RCE +1
NVD
EPSS 36% CVSS 7.2
HIGH POC THREAT This Week

Zoho ManageEngine Applications Manager 14710 and before allows an authenticated admin user to upload a vulnerable jar in a specific location, which leads to remote code execution. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload Zoho RCE +1
NVD Exploit-DB
EPSS 13% CVSS 9.8
CRITICAL Act Now

An issue was discovered in Zoho ManageEngine Exchange Reporter Plus before build number 5510, AD360 before build number 4228, ADSelfService Plus before build number 5817, DataSecurity Plus before. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java Zoho Microsoft +12
NVD
EPSS 7% CVSS 9.8
CRITICAL POC Act Now

An elevation of privilege vulnerability exists in ManageEngine ADSelfService Plus before build 6003 because it does not properly enforce user privileges associated with a Certificate dialog. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Zoho Privilege Escalation Microsoft +1
NVD Exploit-DB
EPSS 13% CVSS 9.8
CRITICAL Act Now

An issue was discovered in the client side of Zoho ManageEngine Desktop Central 10.0.552.W. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Zoho RCE +2
NVD
EPSS 5% CVSS 7.5
HIGH This Week

Zoho ManageEngine ServiceDesk Plus before 11.1 build 11115 allows remote unauthenticated attackers to change the installation status of deployed agents. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Zoho Authentication Bypass Manageengine Servicedesk Plus
NVD
EPSS 37% CVSS 7.5
HIGH This Week

In Zoho ManageEngine OpManager before 125144, when <cachestart> is used, directory traversal validation can be bypassed. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Zoho Path Traversal Manageengine Opmanager
NVD
EPSS 3% CVSS 6.5
MEDIUM POC This Month

Zoho ManageEngine Service Plus before 11.1 build 11112 allows low-privilege authenticated users to discover the File Protection password via a getFileProtectionSettings call to AjaxServlet. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Zoho Authentication Bypass Manageengine Servicedesk Plus
NVD
EPSS 77% CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

Zoho ManageEngine DataSecurity Plus prior to 6.0.1 uses default admin credentials to communicate with a DataEngine Xnode server. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Zoho Authentication Bypass Manageengine Adaudit Plus +1
NVD
EPSS 14% CVSS 8.8
HIGH POC THREAT This Week

The DataEngine Xnode Server application in Zoho ManageEngine DataSecurity Plus prior to 6.0.1 does not validate the database schema name when handling a DR-SCHEMA-SYNC request. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Zoho Path Traversal Manageengine Adaudit Plus +1
NVD
EPSS 97% CVSS 7.5
HIGH POC THREAT This Week

Zoho ManageEngine OpManager Stable build before 124196 and Released build before 125125 allows an unauthenticated attacker to read arbitrary files on the server by sending a crafted request. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Zoho Path Traversal Manageengine Opmanager
NVD
EPSS 4% CVSS 6.5
MEDIUM This Month

Zoho ManageEngine Desktop Central before 10.0.484 allows authenticated arbitrary file writes during ZIP archive extraction via Directory Traversal in a crafted AppDependency API request. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Zoho Path Traversal Manageengine Desktop Central
NVD
EPSS 52% CVSS 7.5
HIGH This Week

Zoho ManageEngine OpManager before 125120 allows an unauthenticated user to retrieve an API key via a servlet call. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Zoho Authentication Bypass Manageengine Opmanager
NVD
EPSS 9% CVSS 7.5
HIGH This Week

In Zoho ManageEngine OpManager before 12.4.181, an unauthenticated remote attacker can send a specially crafted URI to read arbitrary files. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Zoho Information Disclosure Manageengine Opmanager
NVD
EPSS 19% CVSS 9.8
CRITICAL Act Now

Zoho ManageEngine ADSelfService Plus before 5815 allows unauthenticated remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Zoho RCE Manageengine Adselfservice Plus
NVD
EPSS 10% CVSS 7.5
HIGH This Week

Zoho ManageEngine Desktop Central before 10.0.483 allows unauthenticated users to access PDFGenerationServlet, leading to sensitive information disclosure. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Zoho Authentication Bypass Information Disclosure +1
NVD
EPSS 2% CVSS 6.4
MEDIUM POC This Month

An issue was discovered in Zoho ManageEngine AssetExplorer 6.5. Rated medium severity (CVSS 6.4). Public exploit code available and no vendor patch available.

Zoho Microsoft RCE +1
NVD
EPSS 8% CVSS 9.8
CRITICAL Act Now

Zoho ManageEngine Password Manager Pro through 10.x has a CSV Excel Macro Injection vulnerability via a crafted name that is mishandled by the Export Passwords feature. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Zoho Code Injection Manageengine Password Manager Pro
NVD
EPSS 2% CVSS 8.8
HIGH This Week

Zoho ManageEngine Password Manager Pro 10.4 and prior has no protection against Cross-site Request Forgery (CSRF) attacks, as demonstrated by changing a user's role. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Zoho CSRF Manageengine Password Manager Pro
NVD
EPSS 10% CVSS 9.8
CRITICAL Act Now

Zoho ManageEngine OpManager before 12.4.179 allows remote code execution via a specially crafted Mail Server Settings v1 API request. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Zoho RCE Manageengine Opmanager
NVD
EPSS 12% CVSS 9.8
CRITICAL Act Now

An XML external entity (XXE) vulnerability in Zoho ManageEngine Desktop Central before the 07-Mar-2020 update allows remote unauthenticated users to read arbitrary files or conduct server-side. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Zoho SSRF XXE +1
NVD
EPSS 1% CVSS 4.3
MEDIUM This Month

An authorization issue was discovered in the Credential Manager feature in Zoho ManageEngine Remote Access Plus before 10.0.450. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Zoho Information Disclosure Manageengine Remote Access Plus
NVD
EPSS 2% CVSS 4.8
MEDIUM POC This Month

Zoho ManageEngine ServiceDesk Plus 11.0 Build 11007 allows XSS. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Zoho Manageengine Servicedesk Plus
NVD
EPSS 4% CVSS 9.1
CRITICAL Act Now

An issue was discovered in Zoho ManageEngine ADSelfService Plus 5.6 Build 5607. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Zoho Information Disclosure Manageengine Adselfservice Plus
NVD
EPSS 2% CVSS 6.1
MEDIUM This Month

An open redirect vulnerability was discovered in Zoho ManageEngine ADSelfService Plus 5.x before 5809 that allows attackers to force users who click on a crafted link to be sent to a specified. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Zoho Open Redirect Manageengine Adselfservice Plus
NVD
EPSS 13% CVSS 8.8
HIGH POC THREAT This Week

An issue was discovered in Zoho ManageEngine EventLog Analyzer 10.0 SP1 before Build 12110. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Zoho Manageengine Eventlog Analyzer
NVD GitHub Exploit-DB
EPSS 6% CVSS 8.8
HIGH This Week

Zoho ManageEngine Applications Manager before 13640 allows a remote authenticated SQL injection via the Agent servlet agentid parameter to the Agent.java process function. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Java Zoho +1
NVD
EPSS 10% CVSS 9.8
CRITICAL Act Now

Zoho ManageEngine Applications Manager before 13620 allows a remote unauthenticated SQL injection via the SyncEventServlet eventid parameter to the SyncEventServlet.java doGet function. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi Java Zoho +1
NVD
Prev Page 3 of 6 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy