Skip to main content

Zoho

455 CVEs product

Monthly

CVE-2018-12997 HIGH POC This Week

Incorrect Access Control in FailOverHelperServlet in Zoho ManageEngine Netflow Analyzer before build 123137, Network Configuration Manager before build 123128, OpManager before build 123148, OpUtils. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Zoho Information Disclosure Firewall Analyzer Manageengine Netflow Analyzer Manageengine Network Configuration Manager +2
NVD GitHub
CVSS 3.1
7.5
EPSS
6.7%
CVE-2018-12996 MEDIUM POC This Month

A reflected Cross-site scripting (XSS) vulnerability in Zoho ManageEngine Applications Manager before 13 (Build 13800) allows remote attackers to inject arbitrary web script or HTML via the parameter. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Zoho XSS Manageengine Applications Manager
NVD GitHub
CVSS 3.0
6.1
EPSS
3.5%
CVE-2018-11808 CRITICAL Act Now

Incorrect Access Control in CustomFieldsFeedServlet in Zoho ManageEngine Applications Manager Version 13 before build 13740 allows an attacker to delete any file and read certain files on the server. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Zoho Information Disclosure Manageengine Applications Manager
NVD GitHub
CVSS 3.0
9.1
EPSS
6.4%
CVE-2018-10466 CRITICAL Act Now

Zoho ManageEngine ADAudit Plus before 5.0.0 build 5100 allows blind SQL Injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi Zoho Manageengine Adaudit Plus
NVD
CVSS 3.0
9.8
EPSS
8.3%
CVE-2018-7248 MEDIUM POC This Month

An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3 Build 9317. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Zoho Information Disclosure Manageengine Servicedesk Plus
NVD
CVSS 3.1
5.3
EPSS
6.4%
CVE-2018-10803 MEDIUM This Month

Cross-site scripting (XSS) vulnerability in the add credentials functionality in Zoho ManageEngine NetFlow Analyzer v12.3 before 12.3.125 (build 123125) allows remote attackers to inject arbitrary. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Zoho CSRF XSS Manageengine Netflow Analyzer
NVD
CVSS 3.0
6.1
EPSS
0.7%
CVE-2018-5342 HIGH POC This Week

An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 and 10.0.184: network services (Desktop Central and PostgreSQL) running with a superuser account. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Zoho Information Disclosure PostgreSQL Manageengine Desktop Central
NVD
CVSS 3.0
7.2
EPSS
3.8%
CVE-2018-5341 CRITICAL POC Act Now

An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 and 10.0.184: a missing server-side check on the file type/extension when uploading and modifying scripts. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Zoho Information Disclosure Manageengine Desktop Central
NVD
CVSS 3.0
9.8
EPSS
8.2%
CVE-2018-5340 HIGH POC This Week

An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 and 10.0.184: database access using a superuser account (specifically, an account with permission to write to the filesystem via. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Zoho Information Disclosure Manageengine Desktop Central
NVD
CVSS 3.0
7.2
EPSS
5.2%
CVE-2018-5339 CRITICAL POC Act Now

An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 and 10.0.184: insufficient enforcement of database query type restrictions. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Zoho Authentication Bypass Manageengine Desktop Central
NVD
CVSS 3.0
9.8
EPSS
7.6%
CVE-2018-5338 CRITICAL POC Act Now

An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 and 10.0.184: missing authentication/authorization for a database query mechanism. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Zoho Authentication Bypass Manageengine Desktop Central
NVD
CVSS 3.0
9.8
EPSS
9.0%
CVE-2018-5337 CRITICAL POC Act Now

An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 and 10.0.184: directory traversal in the SCRIPT_NAME field when modifying existing scripts. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Zoho Path Traversal Manageengine Desktop Central
NVD
CVSS 3.0
9.8
EPSS
9.5%
CVE-2018-9163 MEDIUM POC This Month

A stored Cross-site scripting (XSS) vulnerability in Zoho ManageEngine Recovery Manager Plus before 5.3 (Build 5350) allows remote authenticated users (with Add New Technician permissions) to inject. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Zoho XSS Manageengine Recovery Manager Plus
NVD Exploit-DB
CVSS 3.0
5.4
EPSS
5.0%
CVE-2018-5799 MEDIUM This Month

In Zoho ManageEngine ServiceDesk Plus before 9403, an XSS issue allows an attacker to run arbitrary JavaScript via a /api/request/?OPERATION_NAME= URI, aka SD-69139. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Zoho XSS Manageengine Servicedesk Plus
NVD
CVSS 3.0
6.1
EPSS
2.0%
CVE-2018-8722 MEDIUM This Month

Zoho ManageEngine Desktop Central version 9.1.0 build 91099 has multiple XSS issues that were fixed in build 92026. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Zoho XSS Manageengine Desktop Central
NVD
CVSS 3.0
6.1
EPSS
1.6%
CVE-2018-8721 MEDIUM POC This Month

Zoho ManageEngine EventLog Analyzer version 11.0 build 11000 has Stored XSS related to the index2.do?url=editAlertForm&tab=alert&alert=profile URI and the Edit Alert Profile screen. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Zoho XSS Manageengine Eventlog Analyzer
NVD
CVSS 3.0
6.1
EPSS
2.0%
CVE-2018-7405 MEDIUM This Month

Cross-site scripting (XSS) in Zoho ManageEngine EventLog Analyzer before 11.12 Build 11120 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Zoho XSS Manageengine Eventlog Analyzer
NVD
CVSS 3.0
6.1
EPSS
1.3%
CVE-2018-7890 CRITICAL POC THREAT Emergency

A remote code execution issue was discovered in Zoho ManageEngine Applications Manager before 13.6 (build 13640). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Zoho RCE Command Injection Manageengine Applications Manager
NVD GitHub Exploit-DB
CVSS 3.0
9.8
EPSS
79.2%
CVE-2017-17698 MEDIUM This Month

Zoho ManageEngine Password Manager Pro 9 before 9.4 (9400) has reflected XSS in SearchResult.ec and BulkAccessControlView.ec. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Zoho Manageengine Password Manager Pro
NVD
CVSS 3.0
6.1
EPSS
1.9%
CVE-2017-16851 CRITICAL Act Now

Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /MyPage.do widgetid parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 12.3% and no vendor patch available.

SQLi Zoho Manageengine Applications Manager
NVD
CVSS 3.0
9.8
EPSS
12.3%
CVE-2017-16850 CRITICAL Act Now

Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /showresource.do resourceid parameter in a getResourceProfiles action. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 12.3% and no vendor patch available.

SQLi Zoho Manageengine Applications Manager
NVD
CVSS 3.0
9.8
EPSS
12.3%
CVE-2017-16849 CRITICAL Act Now

Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /MyPage.do?method=viewDashBoard forpage parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 12.3% and no vendor patch available.

SQLi Zoho Manageengine Applications Manager
NVD
CVSS 3.0
9.8
EPSS
12.3%
CVE-2017-16848 CRITICAL Act Now

Zoho ManageEngine Applications Manager 13 allows SQL injection via the /manageConfMons.do groupname parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi Zoho Manageengine Applications Manager
NVD
CVSS 3.0
9.8
EPSS
9.5%
CVE-2017-16847 CRITICAL Act Now

Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /showresource.do resourceid parameter in a showPlasmaView action. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 12.3% and no vendor patch available.

SQLi Zoho Manageengine Applications Manager
NVD
CVSS 3.0
9.8
EPSS
12.3%
CVE-2017-16846 CRITICAL Act Now

Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /manageApplications.do?method=AddSubGroup haid parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 12.3% and no vendor patch available.

SQLi Zoho Manageengine Applications Manager
NVD
CVSS 3.0
9.8
EPSS
12.3%
CVE-2017-11512 HIGH POC THREAT Act Now

The ManageEngine ServiceDesk 9.3.9328 is vulnerable to arbitrary file downloads due to improper restrictions of the pathname used in the name parameter for the download-snapshot URL. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 82.9%.

Path Traversal Zoho Servicedesk
NVD
CVSS 3.0
7.5
EPSS
82.9%
Threat
5.5
CVE-2017-11511 HIGH This Week

The ManageEngine ServiceDesk 9.3.9328 is vulnerable to arbitrary file downloads due to improper restrictions of the pathname used in the filepath parameter for the download-file URL. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Zoho Servicedesk
NVD
CVSS 3.0
7.5
EPSS
4.1%
CVE-2017-16543 CRITICAL POC Act Now

Zoho ManageEngine Applications Manager 13 before build 13500 allows SQL injection via GraphicalView.do, as demonstrated by a crafted viewProps yCanvas field or viewid parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Zoho Manageengine Applications Manager
NVD Exploit-DB
CVSS 3.0
9.8
EPSS
1.9%
CVE-2017-16542 HIGH POC This Week

Zoho ManageEngine Applications Manager 13 before build 13500 allows Post-authentication SQL injection via the name parameter in a manageApplications.do?method=insert request. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Zoho Manageengine Applications Manager
NVD Exploit-DB
CVSS 3.0
8.8
EPSS
1.2%
CVE-2017-14582 MEDIUM This Month

The Zoho Site24x7 Mobile Network Poller application before 1.1.5 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Google Information Disclosure Zoho Site24X7 Mobile Network Poller
NVD
CVSS 3.0
5.9
EPSS
0.2%
CVE-2015-8249 CRITICAL POC THREAT Emergency

The FileUploadServlet class in ManageEngine Desktop Central 9 before build 91093 allows remote attackers to upload and execute arbitrary files via the ConnectionId parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 80.2%.

File Upload Zoho Desktop Central
NVD Exploit-DB
CVSS 3.0
9.8
EPSS
80.2%
Threat
5.9
CVE-2017-14123 HIGH POC PATCH This Week

Zoho ManageEngine Firewall Analyzer 12200 has an unrestricted File Upload vulnerability in the "Group Chat" section. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

PHP File Upload Zoho Manageengine Firewall Analyzer
NVD
CVSS 3.1
8.8
EPSS
4.4%
CVE-2015-9107 CRITICAL Act Now

Zoho ManageEngine OpManager 11 through 12.2 uses a custom encryption algorithm to protect the credential used to access the monitored devices. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Zoho Manageengine Opmanager
NVD GitHub
CVSS 3.0
9.8
EPSS
1.7%
CVE-2017-11687 MEDIUM POC This Month

Multiple Persistent cross-site scripting (XSS) vulnerabilities in Event log parsing and Display functions in Zoho ManageEngine Event Log Analyzer 11.4 and 11.5 allow remote attackers to inject. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Zoho Manageengine Eventlog Analyzer
NVD
CVSS 3.0
6.1
EPSS
0.5%
CVE-2017-11686 MEDIUM POC This Month

Zoho ManageEngine Event Log Analyzer 11.4 and 11.5 allows remote attackers to obtain an authenticated user's password via XSS vulnerabilities or sniffing non-SSL traffic on the network, because the. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Zoho Manageengine Eventlog Analyzer
NVD
CVSS 3.0
6.1
EPSS
1.7%
CVE-2017-11685 MEDIUM POC This Month

Multiple Reflective cross-site scripting (XSS) vulnerabilities in search and display of event data in Zoho ManageEngine Event Log Analyzer 11.4 and 11.5 allow remote attackers to inject arbitrary web. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Zoho Manageengine Eventlog Analyzer
NVD
CVSS 3.0
6.1
EPSS
0.5%
CVE-2017-11346 CRITICAL POC PATCH THREAT Act Now

Zoho ManageEngine Desktop Central before build 100092 allows remote attackers to execute arbitrary code via vectors involving the upload of help desk videos. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 25.0%.

RCE Zoho Manageengine Desktop Central
NVD Exploit-DB
CVSS 3.0
9.8
EPSS
25.0%
Threat
4.2
CVE-2015-7781 HIGH This Week

ManageEngine Firewall Analyzer before 8.0 does not restrict access permissions. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Zoho Manageengine Firewall Analyzer
NVD
CVSS 3.0
7.5
EPSS
6.7%
CVE-2015-7780 MEDIUM POC THREAT This Month

Directory traversal vulnerability in ManageEngine Firewall Analyzer before 8.0. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 36.2%.

Path Traversal Zoho Manageengine Firewall Analyzer
NVD
CVSS 3.0
6.5
EPSS
36.2%
CVE-2017-7213 CRITICAL PATCH Act Now

Zoho ManageEngine Desktop Central before build 100082 allows remote attackers to obtain control over all connected active desktops via unspecified vectors. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 10.4%.

Information Disclosure Zoho Manageengine Desktop Central
NVD
CVSS 3.0
10.0
EPSS
10.4%
CVE-2016-1161 HIGH This Week

Cross-site request forgery (CSRF) vulnerability in ManageEngine Password Manager Pro before 8.5 (Build 8500). Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

CSRF Zoho Password Manager Pro
NVD
CVSS 3.0
8.0
EPSS
0.2%
CVE-2016-4890 MEDIUM This Month

ZOHO ManageEngine ServiceDesk Plus before 9.2 uses an insecure method for generating cookies, which makes it easier for attackers to obtain sensitive password information by leveraging access to a. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Zoho Servicedesk Plus
NVD
CVSS 3.0
5.3
EPSS
3.0%
CVE-2016-4889 HIGH This Week

ZOHO ManageEngine ServiceDesk Plus before 9.0 allows remote authenticated guest users to have unspecified impact by leveraging failure to restrict access to unknown functions. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Zoho Servicedesk Plus
NVD
CVSS 3.0
8.8
EPSS
4.3%
CVE-2016-4888 MEDIUM This Month

Cross-site scripting (XSS) vulnerability in ZOHO ManageEngine ServiceDesk Plus before 9.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Zoho Servicedesk Plus
NVD
CVSS 3.0
5.4
EPSS
2.4%
CVE-2016-6603 CRITICAL POC THREAT Emergency

ZOHO WebNMS Framework 5.2 and 5.2 SP1 allows remote attackers to bypass authentication and impersonate arbitrary users via the UserName HTTP header. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 70.3%.

Authentication Bypass Zoho Webnms Framework
NVD GitHub Exploit-DB VulDB
CVSS 3.0
9.8
EPSS
70.3%
Threat
5.6
CVE-2016-6602 CRITICAL POC THREAT Emergency

ZOHO WebNMS Framework 5.2 and 5.2 SP1 use a weak obfuscation algorithm to store passwords, which allows context-dependent attackers to obtain cleartext passwords by leveraging access to. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 47.8%.

Information Disclosure Zoho Webnms Framework
NVD GitHub Exploit-DB VulDB
CVSS 3.0
9.8
EPSS
47.8%
Threat
4.9
CVE-2016-6601 HIGH POC THREAT Act Now

Directory traversal vulnerability in the file download functionality in ZOHO WebNMS Framework 5.2 and 5.2 SP1 allows remote attackers to read arbitrary files via a .. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 92.8%.

Path Traversal Zoho Webnms Framework
NVD GitHub Exploit-DB VulDB
CVSS 3.0
7.5
EPSS
92.8%
Threat
5.8
CVE-2016-6600 CRITICAL POC THREAT Emergency

Directory traversal vulnerability in the file upload functionality in ZOHO WebNMS Framework 5.2 and 5.2 SP1 allows remote attackers to upload and execute arbitrary JSP files via a .. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 90.6%.

Path Traversal File Upload Zoho Webnms Framework
NVD GitHub Exploit-DB VulDB
CVSS 3.0
9.8
EPSS
90.6%
Threat
6.2
CVE-2015-7766 CRITICAL POC THREAT Emergency

PGSQL:SubmitQuery.do in ZOHO ManageEngine OpManager 11.6, 11.5, and earlier allows remote administrators to bypass SQL query restrictions via a comment in the query to api/json/admin/SubmitQuery, as. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 77.5%.

Zoho Privilege Escalation Manageengine Opmanager
NVD Exploit-DB
CVSS 2.0
9.0
EPSS
77.5%
Threat
5.6
CVE-2015-7765 CRITICAL POC THREAT Emergency

ZOHO ManageEngine OpManager 11.5 build 11600 and earlier uses a hardcoded password of "plugin" for the IntegrationUser account, which allows remote authenticated users to obtain administrator access. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 77.7%.

Zoho Information Disclosure Manageengine Opmanager
NVD Exploit-DB
CVSS 2.0
9.0
EPSS
77.7%
Threat
5.6
CVE-2015-7387 HIGH POC THREAT Act Now

ZOHO ManageEngine EventLog Analyzer 10.6 build 10060 and earlier allows remote attackers to bypass intended restrictions and execute arbitrary SQL commands via an allowed query followed by a. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 81.7%.

Zoho SQLi Manageengine Eventlog Analyzer
NVD Exploit-DB
CVSS 2.0
7.5
EPSS
81.7%
Threat
5.5
CVE-2015-5459 MEDIUM POC PATCH This Month

SQL injection vulnerability in the AdvanceSearch.class in AdventNetPassTrix.jar in ManageEngine Password Manager Pro (PMP) before 8.1 Build 8101 allows remote authenticated users to execute arbitrary. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Zoho SQLi Manageengine Password Manager Pro
NVD
CVSS 2.0
6.5
EPSS
0.8%
CVE-2015-5150 LOW POC Monitor

Multiple cross-site scripting (XSS) vulnerabilities in Zoho ManageEngine SupportCenter Plus 7.90 allow remote authenticated users to inject arbitrary web script or HTML via the (1) query parameter in. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

Zoho XSS Manageengine Supportcenter Plus
NVD Exploit-DB
CVSS 2.0
3.5
EPSS
1.0%
CVE-2015-5149 MEDIUM POC THREAT This Month

Directory traversal vulnerability in Zoho ManageEngine SupportCenter Plus 7.90 allows remote authenticated users to write to arbitrary files via a .. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 42.5%.

Path Traversal Zoho Manageengine Supportcenter Plus
NVD Exploit-DB
CVSS 2.0
5.5
EPSS
42.5%
CVE-2015-5061 LOW POC Monitor

Cross-site scripting (XSS) vulnerability in Zoho ManageEngine AssetExplorer 6.1 service pack 6112 and earlier allows remote authenticated users with permissions to add new vendors to inject arbitrary. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

Zoho XSS Manageengine Assetexplorer
NVD
CVSS 2.0
3.5
EPSS
0.3%
CVE-2015-2169 MEDIUM POC This Month

Cross-site scripting (XSS) vulnerability in Zoho ManageEngine AssetExplorer 6.1 service pack 6112 allows remote attackers to inject arbitrary web script or HTML via a Publisher registry entry, which. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

Zoho XSS Manageengine Assetexplorer
NVD Exploit-DB
CVSS 2.0
4.3
EPSS
4.1%
CVE-2015-4418 MEDIUM This Month

Zoho NetFlow Analyzer build 10250 and earlier does not have an off autocomplete attribute for a password field, which makes it easier for remote attackers to obtain access by leveraging an unattended. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Zoho Authentication Bypass Manageengine Netflow Analyzer
NVD
CVSS 2.0
5.0
EPSS
4.9%
CVE-2015-2961 MEDIUM PATCH This Month

Cross-site request forgery (CSRF) vulnerability in Zoho NetFlow Analyzer build 10250 and earlier allows remote attackers to hijack the authentication of administrators. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable.

Zoho CSRF Manageengine Netflow Analyzer
NVD
CVSS 2.0
6.8
EPSS
0.4%
CVE-2015-2960 MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in Zoho NetFlow Analyzer build 10250 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

Zoho XSS Manageengine Netflow Analyzer
NVD
CVSS 2.0
4.3
EPSS
0.2%
CVE-2015-2959 HIGH PATCH This Week

Zoho NetFlow Analyzer build 10250 and earlier does not check for administrative authorization, which allows remote attackers to obtain sensitive information, modify passwords, or remove accounts by. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity.

Zoho Authentication Bypass Manageengine Netflow Analyzer
NVD
CVSS 2.0
7.5
EPSS
0.8%
CVE-2015-1026 MEDIUM POC This Month

Multiple cross-site scripting (XSS) vulnerabilities in ZOHO ManageEngine ADManager Plus before 6.2 Build 6270 allow remote attackers to inject arbitrary web script or HTML via the (1). Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

Zoho XSS Manageengine Admanager Plus
NVD
CVSS 2.0
4.3
EPSS
0.4%
CVE-2015-1480 MEDIUM POC THREAT This Month

ZOHO ManageEngine ServiceDesk Plus (SDP) before 9.0 build 9031 allows remote authenticated users to obtain sensitive ticket information via a (1) getTicketData action to servlet/AJaxServlet or a. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 18.2%.

Zoho Information Disclosure Servicedesk Plus
NVD Exploit-DB
CVSS 2.0
4.0
EPSS
18.2%
CVE-2015-1479 MEDIUM POC THREAT This Month

SQL injection vulnerability in reports/CreateReportTable.jsp in ZOHO ManageEngine ServiceDesk Plus (SDP) before 9.0 build 9031 allows remote authenticated users to execute arbitrary SQL commands via. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 10.6%.

Zoho SQLi Servicedesk Plus
NVD Exploit-DB
CVSS 2.0
6.5
EPSS
10.6%
CVE-2014-9331 MEDIUM POC PATCH This Month

Cross-site request forgery (CSRF) vulnerability in ZOHO ManageEngine Desktop Central before 9 build 90130 allows remote attackers to hijack the authentication of administrators for requests that add. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Public exploit code available.

Zoho CSRF Manageengine Desktop Central
NVD Exploit-DB
CVSS 2.0
6.8
EPSS
2.0%
CVE-2014-7864 HIGH POC THREAT Act Now

Multiple SQL injection vulnerabilities in the FailOverHelperServlet (aka FailServlet) servlet in ZOHO ManageEngine OpManager 8 through 11.5 build 11400 and IT360 10.5 and earlier allow remote. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 32.2%.

Zoho SQLi Manageengine Opmanager
NVD Exploit-DB
CVSS 2.0
7.5
EPSS
32.2%
Threat
4.0
CVE-2015-0866 MEDIUM POC PATCH This Month

Multiple cross-site scripting (XSS) vulnerabilities in Zoho ManageEngine SupportCenter Plus 7.9 before hotfix 7941 allow remote attackers to inject arbitrary web script or HTML via the (1). Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available.

Zoho XSS Manageengine Supportcenter Plus
NVD
CVSS 2.0
4.3
EPSS
0.4%
CVE-2014-100002 MEDIUM POC THREAT This Month

Directory traversal vulnerability in ManageEngine SupportCenter Plus 7.9 before 7917 allows remote attackers to read arbitrary files via a ..%2f (dot dot encoded slash) in the attach parameter to. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 78.9%.

Path Traversal Zoho Manageengine Supportcenter Plus
NVD Exploit-DB
CVSS 2.0
5.0
EPSS
78.9%
Threat
4.9
CVE-2014-3779 MEDIUM POC This Month

Cross-site scripting (XSS) vulnerability in ZOHO ManageEngine ADSelfService Plus before 5.2 Build 5202 allows remote attackers to inject arbitrary web script or HTML via the name parameter to. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

Zoho XSS Manageengine Adselfservice Plus
NVD
CVSS 2.0
4.3
EPSS
0.6%
CVE-2013-6227 HIGH POC PATCH THREAT Act Now

Unrestricted file upload vulnerability in plugins/editor.zoho/agent/save_zoho.php in the Zoho plugin in Pydio (formerly AjaXplorer) before 5.0.4 allows remote attackers to execute arbitrary code by. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 19.4%.

Zoho RCE PHP File Upload Ajaxplorer +1
NVD Exploit-DB
CVSS 2.0
7.5
EPSS
19.4%
CVE-2014-9373 CRITICAL Act Now

Directory traversal vulnerability in the CollectorConfInfoServlet servlet in ManageEngine NetFlow Analyzer allows remote attackers to execute arbitrary code via a .. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal RCE Zoho Netflow Analyzer
NVD
CVSS 2.0
10.0
EPSS
6.8%
CVE-2014-9372 MEDIUM This Month

Directory traversal vulnerability in the UploadAccountActivities servlet in ManageEngine Password Manager Pro (PMP) before 7103 allows remote attackers to delete arbitrary files via a .. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Zoho Password Manager Pro
NVD
CVSS 2.0
6.4
EPSS
1.6%
CVE-2014-9371 CRITICAL Act Now

The NativeAppServlet in ManageEngine Desktop Central MSP before 90075 allows remote attackers to execute arbitrary code via a crafted JSON object. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 10.2% and no vendor patch available.

Zoho RCE Manageengine Desktop Central
NVD
CVSS 2.0
10.0
EPSS
10.2%
CVE-2014-7866 HIGH POC THREAT Act Now

Multiple directory traversal vulnerabilities in ZOHO ManageEngine OpManager 8 (build 88xx) through 11.4, IT360 10.3 and 10.4, and Social IT Plus 11.0 allow remote attackers or remote authenticated. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 82.8%.

Path Traversal Zoho Manageengine Social It Plus Manageengine It360 Manageengine Opmanager
NVD Exploit-DB
CVSS 2.0
7.5
EPSS
82.8%
Threat
5.5
CVE-2014-3997 HIGH POC This Week

SQL injection vulnerability in the MetadataServlet servlet in ManageEngine Password Manager Pro (PMP) and Password Manager Pro Managed Service Providers (MSP) edition 5 through 7 build 7003, IT360. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Zoho SQLi Manageengine Password Manager Pro Manageengine It360
NVD Exploit-DB
CVSS 2.0
7.5
EPSS
1.3%
CVE-2014-3996 HIGH POC THREAT Act Now

SQL injection vulnerability in the LinkViewFetchServlet servlet in ManageEngine Desktop Central (DC) and Desktop Central Managed Service Providers (MSP) edition before 9 build 90043, Password Manager. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 71.2%.

Zoho SQLi It360 Password Manager Pro Desktop Central
NVD Exploit-DB
CVSS 2.0
7.5
EPSS
71.2%
Threat
5.1
CVE-2014-7868 HIGH POC THREAT Act Now

Multiple SQL injection vulnerabilities in ZOHO ManageEngine OpManager 11.3 and 11.4, IT360 10.3 and 10.4, and Social IT Plus 11.0 allow remote attackers or remote authenticated users to execute. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 69.7%.

Zoho SQLi Manageengine Social It Plus Manageengine Opmanager Manageengine It360
NVD Exploit-DB
CVSS 2.0
7.5
EPSS
69.7%
Threat
5.1
CVE-2014-7867 HIGH PATCH Act Now

SQL injection vulnerability in the com.manageengine.opmanager.servlet.UpdateProbeUpgradeStatus servlet in ZOHO ManageEngine OpManager 11.3 and 11.4, IT360 10.3 and 10.4, and Social IT Plus 11.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 62.1%.

Zoho SQLi Manageengine Opmanager Manageengine Social It Plus Manageengine It360
NVD
CVSS 2.0
7.5
EPSS
62.1%
CVE-2014-6036 MEDIUM POC PATCH THREAT This Month

Directory traversal vulnerability in the multipartRequest servlet in ZOHO ManageEngine OpManager 11.3 and earlier, Social IT Plus 11.0, and IT360 10.3, 10.4, and earlier allows remote attackers or. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 36.5%.

Path Traversal Zoho Manageengine Opmanager Manageengine It360 Manageengine Social It Plus
NVD Exploit-DB
CVSS 2.0
6.4
EPSS
36.5%
CVE-2014-6035 HIGH POC PATCH THREAT Act Now

Directory traversal vulnerability in the FileCollector servlet in ZOHO ManageEngine OpManager 11.4, 11.3, and earlier allows remote attackers to write and execute arbitrary files via a .. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 11.6%.

Path Traversal Zoho Manageengine Opmanager
NVD Exploit-DB
CVSS 2.0
7.5
EPSS
11.6%
CVE-2014-6034 MEDIUM POC PATCH THREAT This Month

Directory traversal vulnerability in the com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector servlet in ZOHO ManageEngine OpManager 8.8 through 11.3, Social IT Plus 11.0, and IT360. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 86.6%.

Path Traversal Zoho Manageengine Social It Plus Manageengine It360 Manageengine Opmanager
NVD Exploit-DB
CVSS 2.0
5.0
EPSS
86.6%
Threat
5.1
CVE-2014-5446 MEDIUM POC THREAT This Month

Directory traversal vulnerability in the DisplayChartPDF servlet in ZOHO ManageEngine Netflow Analyzer 8.6 through 10.2 and IT360 10.3 allows remote attackers and remote authenticated users to read. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 65.7%.

Path Traversal Zoho Manageengine It360 Manageengine Netflow Analyzer
NVD Exploit-DB
CVSS 2.0
5.0
EPSS
65.7%
Threat
4.5
CVE-2014-5445 MEDIUM POC THREAT This Month

Multiple absolute path traversal vulnerabilities in ZOHO ManageEngine Netflow Analyzer 8.6 through 10.2 and IT360 10.3 allow remote attackers or remote authenticated users to read arbitrary files via. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 91.0%.

Path Traversal Zoho Manageengine It360 Manageengine Netflow Analyzer
NVD GitHub Exploit-DB
CVSS 2.0
5.0
EPSS
91.0%
Threat
5.2
CVE-2014-8678 HIGH This Week

The ConfigSaveServlet servlet in ManageEngine OpUtils before build 71024 allows remote attackers to "disclose" files via a crafted filename, related to "saveFile.". Rated high severity (CVSS 7.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Zoho Information Disclosure Oputils
NVD
CVSS 2.0
7.8
EPSS
0.4%
CVE-2014-8499 MEDIUM POC THREAT This Month

Multiple SQL injection vulnerabilities in ManageEngine Password Manager Pro (PMP) and Password Manager Pro Managed Service Providers (MSP) edition before 7.1 build 7105 allow remote authenticated. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 74.9%.

Zoho SQLi Password Manager Pro
NVD Exploit-DB
CVSS 2.0
6.5
EPSS
74.9%
Threat
5.0
CVE-2014-8498 MEDIUM POC This Month

SQL injection vulnerability in BulkEditSearchResult.cc in ManageEngine Password Manager Pro (PMP) and Password Manager Pro Managed Service Providers (MSP) edition before 7.1 build 7105 allows remote. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Zoho SQLi Manageengine Password Manager Pro
NVD Exploit-DB
CVSS 2.0
6.5
EPSS
4.6%
CVE-2014-6037 HIGH POC THREAT Act Now

Directory traversal vulnerability in the agentUpload servlet in ZOHO ManageEngine EventLog Analyzer 9.0 build 9002 and 8.2 build 8020 allows remote attackers to execute arbitrary code by uploading a. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 81.7%.

Path Traversal RCE Zoho Manageengine Eventlog Analyzer
NVD Exploit-DB GitHub
CVSS 2.0
7.5
EPSS
81.7%
Threat
5.5
CVE-2014-5006 HIGH POC THREAT Act Now

Directory traversal vulnerability in ZOHO ManageEngine Desktop Central (DC) before 9 build 90055 allows remote attackers to execute arbitrary code via a .. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 55.9%.

Path Traversal RCE Zoho Manageengine Desktop Central
NVD Exploit-DB
CVSS 2.0
7.5
EPSS
55.9%
Threat
4.7
CVE-2014-5005 HIGH POC THREAT Act Now

Directory traversal vulnerability in ZOHO ManageEngine Desktop Central (DC) before 9 build 90055 allows remote attackers to execute arbitrary code via a .. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 85.8%.

Path Traversal RCE Zoho Manageengine Desktop Central
NVD Exploit-DB
CVSS 2.0
7.5
EPSS
85.8%
Threat
5.6
CVE-2014-6686 MEDIUM This Month

The Zoho Books - Accounting App (aka com.zoho.books) application 3.1.9 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and. Rated medium severity (CVSS 5.4). No vendor patch available.

Zoho Google Information Disclosure Zoho Books Accounting App
NVD
CVSS 2.0
5.4
EPSS
0.1%
CVE-2014-6043 MEDIUM POC This Month

ZOHO ManageEngine EventLog Analyzer 9.0 build 9002 and 8.2 build 8020 does not properly restrict access to the database browser, which allows remote authenticated users to obtain access to the. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Zoho Privilege Escalation Manageengine Eventlog Analyzer
NVD Exploit-DB
CVSS 2.0
6.5
EPSS
4.8%
EPSS 7% CVSS 7.5
HIGH POC This Week

Incorrect Access Control in FailOverHelperServlet in Zoho ManageEngine Netflow Analyzer before build 123137, Network Configuration Manager before build 123128, OpManager before build 123148, OpUtils. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Zoho Information Disclosure Firewall Analyzer +4
NVD GitHub
EPSS 3% CVSS 6.1
MEDIUM POC This Month

A reflected Cross-site scripting (XSS) vulnerability in Zoho ManageEngine Applications Manager before 13 (Build 13800) allows remote attackers to inject arbitrary web script or HTML via the parameter. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Zoho XSS Manageengine Applications Manager
NVD GitHub
EPSS 6% CVSS 9.1
CRITICAL Act Now

Incorrect Access Control in CustomFieldsFeedServlet in Zoho ManageEngine Applications Manager Version 13 before build 13740 allows an attacker to delete any file and read certain files on the server. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Zoho Information Disclosure Manageengine Applications Manager
NVD GitHub
EPSS 8% CVSS 9.8
CRITICAL Act Now

Zoho ManageEngine ADAudit Plus before 5.0.0 build 5100 allows blind SQL Injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi Zoho Manageengine Adaudit Plus
NVD
EPSS 6% CVSS 5.3
MEDIUM POC This Month

An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3 Build 9317. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Zoho Information Disclosure Manageengine Servicedesk Plus
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

Cross-site scripting (XSS) vulnerability in the add credentials functionality in Zoho ManageEngine NetFlow Analyzer v12.3 before 12.3.125 (build 123125) allows remote attackers to inject arbitrary. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Zoho CSRF XSS +1
NVD
EPSS 4% CVSS 7.2
HIGH POC This Week

An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 and 10.0.184: network services (Desktop Central and PostgreSQL) running with a superuser account. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Zoho Information Disclosure PostgreSQL +1
NVD
EPSS 8% CVSS 9.8
CRITICAL POC Act Now

An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 and 10.0.184: a missing server-side check on the file type/extension when uploading and modifying scripts. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Zoho Information Disclosure Manageengine Desktop Central
NVD
EPSS 5% CVSS 7.2
HIGH POC This Week

An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 and 10.0.184: database access using a superuser account (specifically, an account with permission to write to the filesystem via. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Zoho Information Disclosure Manageengine Desktop Central
NVD
EPSS 8% CVSS 9.8
CRITICAL POC Act Now

An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 and 10.0.184: insufficient enforcement of database query type restrictions. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Zoho Authentication Bypass Manageengine Desktop Central
NVD
EPSS 9% CVSS 9.8
CRITICAL POC Act Now

An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 and 10.0.184: missing authentication/authorization for a database query mechanism. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Zoho Authentication Bypass Manageengine Desktop Central
NVD
EPSS 9% CVSS 9.8
CRITICAL POC Act Now

An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 and 10.0.184: directory traversal in the SCRIPT_NAME field when modifying existing scripts. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Zoho Path Traversal Manageengine Desktop Central
NVD
EPSS 5% CVSS 5.4
MEDIUM POC This Month

A stored Cross-site scripting (XSS) vulnerability in Zoho ManageEngine Recovery Manager Plus before 5.3 (Build 5350) allows remote authenticated users (with Add New Technician permissions) to inject. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Zoho XSS Manageengine Recovery Manager Plus
NVD Exploit-DB
EPSS 2% CVSS 6.1
MEDIUM This Month

In Zoho ManageEngine ServiceDesk Plus before 9403, an XSS issue allows an attacker to run arbitrary JavaScript via a /api/request/?OPERATION_NAME= URI, aka SD-69139. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Zoho XSS Manageengine Servicedesk Plus
NVD
EPSS 2% CVSS 6.1
MEDIUM This Month

Zoho ManageEngine Desktop Central version 9.1.0 build 91099 has multiple XSS issues that were fixed in build 92026. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Zoho XSS Manageengine Desktop Central
NVD
EPSS 2% CVSS 6.1
MEDIUM POC This Month

Zoho ManageEngine EventLog Analyzer version 11.0 build 11000 has Stored XSS related to the index2.do?url=editAlertForm&tab=alert&alert=profile URI and the Edit Alert Profile screen. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Zoho XSS Manageengine Eventlog Analyzer
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

Cross-site scripting (XSS) in Zoho ManageEngine EventLog Analyzer before 11.12 Build 11120 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Zoho XSS Manageengine Eventlog Analyzer
NVD
EPSS 79% CVSS 9.8
CRITICAL POC THREAT Emergency

A remote code execution issue was discovered in Zoho ManageEngine Applications Manager before 13.6 (build 13640). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Zoho RCE Command Injection +1
NVD GitHub Exploit-DB
EPSS 2% CVSS 6.1
MEDIUM This Month

Zoho ManageEngine Password Manager Pro 9 before 9.4 (9400) has reflected XSS in SearchResult.ec and BulkAccessControlView.ec. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Zoho Manageengine Password Manager Pro
NVD
EPSS 12% CVSS 9.8
CRITICAL Act Now

Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /MyPage.do widgetid parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 12.3% and no vendor patch available.

SQLi Zoho Manageengine Applications Manager
NVD
EPSS 12% CVSS 9.8
CRITICAL Act Now

Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /showresource.do resourceid parameter in a getResourceProfiles action. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 12.3% and no vendor patch available.

SQLi Zoho Manageengine Applications Manager
NVD
EPSS 12% CVSS 9.8
CRITICAL Act Now

Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /MyPage.do?method=viewDashBoard forpage parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 12.3% and no vendor patch available.

SQLi Zoho Manageengine Applications Manager
NVD
EPSS 9% CVSS 9.8
CRITICAL Act Now

Zoho ManageEngine Applications Manager 13 allows SQL injection via the /manageConfMons.do groupname parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi Zoho Manageengine Applications Manager
NVD
EPSS 12% CVSS 9.8
CRITICAL Act Now

Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /showresource.do resourceid parameter in a showPlasmaView action. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 12.3% and no vendor patch available.

SQLi Zoho Manageengine Applications Manager
NVD
EPSS 12% CVSS 9.8
CRITICAL Act Now

Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /manageApplications.do?method=AddSubGroup haid parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 12.3% and no vendor patch available.

SQLi Zoho Manageengine Applications Manager
NVD
EPSS 83% 5.5 CVSS 7.5
HIGH POC THREAT Act Now

The ManageEngine ServiceDesk 9.3.9328 is vulnerable to arbitrary file downloads due to improper restrictions of the pathname used in the name parameter for the download-snapshot URL. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 82.9%.

Path Traversal Zoho Servicedesk
NVD
EPSS 4% CVSS 7.5
HIGH This Week

The ManageEngine ServiceDesk 9.3.9328 is vulnerable to arbitrary file downloads due to improper restrictions of the pathname used in the filepath parameter for the download-file URL. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Zoho Servicedesk
NVD
EPSS 2% CVSS 9.8
CRITICAL POC Act Now

Zoho ManageEngine Applications Manager 13 before build 13500 allows SQL injection via GraphicalView.do, as demonstrated by a crafted viewProps yCanvas field or viewid parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Zoho Manageengine Applications Manager
NVD Exploit-DB
EPSS 1% CVSS 8.8
HIGH POC This Week

Zoho ManageEngine Applications Manager 13 before build 13500 allows Post-authentication SQL injection via the name parameter in a manageApplications.do?method=insert request. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Zoho Manageengine Applications Manager
NVD Exploit-DB
EPSS 0% CVSS 5.9
MEDIUM This Month

The Zoho Site24x7 Mobile Network Poller application before 1.1.5 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Google Information Disclosure Zoho +1
NVD
EPSS 80% 5.9 CVSS 9.8
CRITICAL POC THREAT Emergency

The FileUploadServlet class in ManageEngine Desktop Central 9 before build 91093 allows remote attackers to upload and execute arbitrary files via the ConnectionId parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 80.2%.

File Upload Zoho Desktop Central
NVD Exploit-DB
EPSS 4% CVSS 8.8
HIGH POC PATCH This Week

Zoho ManageEngine Firewall Analyzer 12200 has an unrestricted File Upload vulnerability in the "Group Chat" section. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

PHP File Upload Zoho +1
NVD
EPSS 2% CVSS 9.8
CRITICAL Act Now

Zoho ManageEngine OpManager 11 through 12.2 uses a custom encryption algorithm to protect the credential used to access the monitored devices. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Zoho Manageengine Opmanager
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM POC This Month

Multiple Persistent cross-site scripting (XSS) vulnerabilities in Event log parsing and Display functions in Zoho ManageEngine Event Log Analyzer 11.4 and 11.5 allow remote attackers to inject. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Zoho Manageengine Eventlog Analyzer
NVD
EPSS 2% CVSS 6.1
MEDIUM POC This Month

Zoho ManageEngine Event Log Analyzer 11.4 and 11.5 allows remote attackers to obtain an authenticated user's password via XSS vulnerabilities or sniffing non-SSL traffic on the network, because the. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Zoho Manageengine Eventlog Analyzer
NVD
EPSS 0% CVSS 6.1
MEDIUM POC This Month

Multiple Reflective cross-site scripting (XSS) vulnerabilities in search and display of event data in Zoho ManageEngine Event Log Analyzer 11.4 and 11.5 allow remote attackers to inject arbitrary web. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Zoho Manageengine Eventlog Analyzer
NVD
EPSS 25% 4.2 CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

Zoho ManageEngine Desktop Central before build 100092 allows remote attackers to execute arbitrary code via vectors involving the upload of help desk videos. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 25.0%.

RCE Zoho Manageengine Desktop Central
NVD Exploit-DB
EPSS 7% CVSS 7.5
HIGH This Week

ManageEngine Firewall Analyzer before 8.0 does not restrict access permissions. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Zoho Manageengine Firewall Analyzer
NVD
EPSS 36% CVSS 6.5
MEDIUM POC THREAT This Month

Directory traversal vulnerability in ManageEngine Firewall Analyzer before 8.0. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 36.2%.

Path Traversal Zoho Manageengine Firewall Analyzer
NVD
EPSS 10% CVSS 10.0
CRITICAL PATCH Act Now

Zoho ManageEngine Desktop Central before build 100082 allows remote attackers to obtain control over all connected active desktops via unspecified vectors. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 10.4%.

Information Disclosure Zoho Manageengine Desktop Central
NVD
EPSS 0% CVSS 8.0
HIGH This Week

Cross-site request forgery (CSRF) vulnerability in ManageEngine Password Manager Pro before 8.5 (Build 8500). Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

CSRF Zoho Password Manager Pro
NVD
EPSS 3% CVSS 5.3
MEDIUM This Month

ZOHO ManageEngine ServiceDesk Plus before 9.2 uses an insecure method for generating cookies, which makes it easier for attackers to obtain sensitive password information by leveraging access to a. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Zoho Servicedesk Plus
NVD
EPSS 4% CVSS 8.8
HIGH This Week

ZOHO ManageEngine ServiceDesk Plus before 9.0 allows remote authenticated guest users to have unspecified impact by leveraging failure to restrict access to unknown functions. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Zoho Servicedesk Plus
NVD
EPSS 2% CVSS 5.4
MEDIUM This Month

Cross-site scripting (XSS) vulnerability in ZOHO ManageEngine ServiceDesk Plus before 9.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Zoho Servicedesk Plus
NVD
EPSS 70% 5.6 CVSS 9.8
CRITICAL POC THREAT Emergency

ZOHO WebNMS Framework 5.2 and 5.2 SP1 allows remote attackers to bypass authentication and impersonate arbitrary users via the UserName HTTP header. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 70.3%.

Authentication Bypass Zoho Webnms Framework
NVD GitHub Exploit-DB VulDB
EPSS 48% 4.9 CVSS 9.8
CRITICAL POC THREAT Emergency

ZOHO WebNMS Framework 5.2 and 5.2 SP1 use a weak obfuscation algorithm to store passwords, which allows context-dependent attackers to obtain cleartext passwords by leveraging access to. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 47.8%.

Information Disclosure Zoho Webnms Framework
NVD GitHub Exploit-DB VulDB
EPSS 93% 5.8 CVSS 7.5
HIGH POC THREAT Act Now

Directory traversal vulnerability in the file download functionality in ZOHO WebNMS Framework 5.2 and 5.2 SP1 allows remote attackers to read arbitrary files via a .. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 92.8%.

Path Traversal Zoho Webnms Framework
NVD GitHub Exploit-DB VulDB
EPSS 91% 6.2 CVSS 9.8
CRITICAL POC THREAT Emergency

Directory traversal vulnerability in the file upload functionality in ZOHO WebNMS Framework 5.2 and 5.2 SP1 allows remote attackers to upload and execute arbitrary JSP files via a .. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 90.6%.

Path Traversal File Upload Zoho +1
NVD GitHub Exploit-DB VulDB
EPSS 78% 5.6 CVSS 9.0
CRITICAL POC THREAT Emergency

PGSQL:SubmitQuery.do in ZOHO ManageEngine OpManager 11.6, 11.5, and earlier allows remote administrators to bypass SQL query restrictions via a comment in the query to api/json/admin/SubmitQuery, as. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 77.5%.

Zoho Privilege Escalation Manageengine Opmanager
NVD Exploit-DB
EPSS 78% 5.6 CVSS 9.0
CRITICAL POC THREAT Emergency

ZOHO ManageEngine OpManager 11.5 build 11600 and earlier uses a hardcoded password of "plugin" for the IntegrationUser account, which allows remote authenticated users to obtain administrator access. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 77.7%.

Zoho Information Disclosure Manageengine Opmanager
NVD Exploit-DB
EPSS 82% 5.5 CVSS 7.5
HIGH POC THREAT Act Now

ZOHO ManageEngine EventLog Analyzer 10.6 build 10060 and earlier allows remote attackers to bypass intended restrictions and execute arbitrary SQL commands via an allowed query followed by a. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 81.7%.

Zoho SQLi Manageengine Eventlog Analyzer
NVD Exploit-DB
EPSS 1% CVSS 6.5
MEDIUM POC PATCH This Month

SQL injection vulnerability in the AdvanceSearch.class in AdventNetPassTrix.jar in ManageEngine Password Manager Pro (PMP) before 8.1 Build 8101 allows remote authenticated users to execute arbitrary. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Zoho SQLi Manageengine Password Manager Pro
NVD
EPSS 1% CVSS 3.5
LOW POC Monitor

Multiple cross-site scripting (XSS) vulnerabilities in Zoho ManageEngine SupportCenter Plus 7.90 allow remote authenticated users to inject arbitrary web script or HTML via the (1) query parameter in. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

Zoho XSS Manageengine Supportcenter Plus
NVD Exploit-DB
EPSS 42% CVSS 5.5
MEDIUM POC THREAT This Month

Directory traversal vulnerability in Zoho ManageEngine SupportCenter Plus 7.90 allows remote authenticated users to write to arbitrary files via a .. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 42.5%.

Path Traversal Zoho Manageengine Supportcenter Plus
NVD Exploit-DB
EPSS 0% CVSS 3.5
LOW POC Monitor

Cross-site scripting (XSS) vulnerability in Zoho ManageEngine AssetExplorer 6.1 service pack 6112 and earlier allows remote authenticated users with permissions to add new vendors to inject arbitrary. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

Zoho XSS Manageengine Assetexplorer
NVD
EPSS 4% CVSS 4.3
MEDIUM POC This Month

Cross-site scripting (XSS) vulnerability in Zoho ManageEngine AssetExplorer 6.1 service pack 6112 allows remote attackers to inject arbitrary web script or HTML via a Publisher registry entry, which. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

Zoho XSS Manageengine Assetexplorer
NVD Exploit-DB
EPSS 5% CVSS 5.0
MEDIUM This Month

Zoho NetFlow Analyzer build 10250 and earlier does not have an off autocomplete attribute for a password field, which makes it easier for remote attackers to obtain access by leveraging an unattended. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Zoho Authentication Bypass Manageengine Netflow Analyzer
NVD
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Cross-site request forgery (CSRF) vulnerability in Zoho NetFlow Analyzer build 10250 and earlier allows remote attackers to hijack the authentication of administrators. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable.

Zoho CSRF Manageengine Netflow Analyzer
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in Zoho NetFlow Analyzer build 10250 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

Zoho XSS Manageengine Netflow Analyzer
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Zoho NetFlow Analyzer build 10250 and earlier does not check for administrative authorization, which allows remote attackers to obtain sensitive information, modify passwords, or remove accounts by. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity.

Zoho Authentication Bypass Manageengine Netflow Analyzer
NVD
EPSS 0% CVSS 4.3
MEDIUM POC This Month

Multiple cross-site scripting (XSS) vulnerabilities in ZOHO ManageEngine ADManager Plus before 6.2 Build 6270 allow remote attackers to inject arbitrary web script or HTML via the (1). Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

Zoho XSS Manageengine Admanager Plus
NVD
EPSS 18% CVSS 4.0
MEDIUM POC THREAT This Month

ZOHO ManageEngine ServiceDesk Plus (SDP) before 9.0 build 9031 allows remote authenticated users to obtain sensitive ticket information via a (1) getTicketData action to servlet/AJaxServlet or a. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 18.2%.

Zoho Information Disclosure Servicedesk Plus
NVD Exploit-DB
EPSS 11% CVSS 6.5
MEDIUM POC THREAT This Month

SQL injection vulnerability in reports/CreateReportTable.jsp in ZOHO ManageEngine ServiceDesk Plus (SDP) before 9.0 build 9031 allows remote authenticated users to execute arbitrary SQL commands via. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 10.6%.

Zoho SQLi Servicedesk Plus
NVD Exploit-DB
EPSS 2% CVSS 6.8
MEDIUM POC PATCH This Month

Cross-site request forgery (CSRF) vulnerability in ZOHO ManageEngine Desktop Central before 9 build 90130 allows remote attackers to hijack the authentication of administrators for requests that add. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Public exploit code available.

Zoho CSRF Manageengine Desktop Central
NVD Exploit-DB
EPSS 32% 4.0 CVSS 7.5
HIGH POC THREAT Act Now

Multiple SQL injection vulnerabilities in the FailOverHelperServlet (aka FailServlet) servlet in ZOHO ManageEngine OpManager 8 through 11.5 build 11400 and IT360 10.5 and earlier allow remote. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 32.2%.

Zoho SQLi Manageengine Opmanager
NVD Exploit-DB
EPSS 0% CVSS 4.3
MEDIUM POC PATCH This Month

Multiple cross-site scripting (XSS) vulnerabilities in Zoho ManageEngine SupportCenter Plus 7.9 before hotfix 7941 allow remote attackers to inject arbitrary web script or HTML via the (1). Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available.

Zoho XSS Manageengine Supportcenter Plus
NVD
EPSS 79% 4.9 CVSS 5.0
MEDIUM POC THREAT This Month

Directory traversal vulnerability in ManageEngine SupportCenter Plus 7.9 before 7917 allows remote attackers to read arbitrary files via a ..%2f (dot dot encoded slash) in the attach parameter to. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 78.9%.

Path Traversal Zoho Manageengine Supportcenter Plus
NVD Exploit-DB
EPSS 1% CVSS 4.3
MEDIUM POC This Month

Cross-site scripting (XSS) vulnerability in ZOHO ManageEngine ADSelfService Plus before 5.2 Build 5202 allows remote attackers to inject arbitrary web script or HTML via the name parameter to. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

Zoho XSS Manageengine Adselfservice Plus
NVD
EPSS 19% CVSS 7.5
HIGH POC PATCH THREAT Act Now

Unrestricted file upload vulnerability in plugins/editor.zoho/agent/save_zoho.php in the Zoho plugin in Pydio (formerly AjaXplorer) before 5.0.4 allows remote attackers to execute arbitrary code by. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 19.4%.

Zoho RCE PHP +3
NVD Exploit-DB
EPSS 7% CVSS 10.0
CRITICAL Act Now

Directory traversal vulnerability in the CollectorConfInfoServlet servlet in ManageEngine NetFlow Analyzer allows remote attackers to execute arbitrary code via a .. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal RCE Zoho +1
NVD
EPSS 2% CVSS 6.4
MEDIUM This Month

Directory traversal vulnerability in the UploadAccountActivities servlet in ManageEngine Password Manager Pro (PMP) before 7103 allows remote attackers to delete arbitrary files via a .. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Zoho Password Manager Pro
NVD
EPSS 10% CVSS 10.0
CRITICAL Act Now

The NativeAppServlet in ManageEngine Desktop Central MSP before 90075 allows remote attackers to execute arbitrary code via a crafted JSON object. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 10.2% and no vendor patch available.

Zoho RCE Manageengine Desktop Central
NVD
EPSS 83% 5.5 CVSS 7.5
HIGH POC THREAT Act Now

Multiple directory traversal vulnerabilities in ZOHO ManageEngine OpManager 8 (build 88xx) through 11.4, IT360 10.3 and 10.4, and Social IT Plus 11.0 allow remote attackers or remote authenticated. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 82.8%.

Path Traversal Zoho Manageengine Social It Plus +2
NVD Exploit-DB
EPSS 1% CVSS 7.5
HIGH POC This Week

SQL injection vulnerability in the MetadataServlet servlet in ManageEngine Password Manager Pro (PMP) and Password Manager Pro Managed Service Providers (MSP) edition 5 through 7 build 7003, IT360. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Zoho SQLi Manageengine Password Manager Pro +1
NVD Exploit-DB
EPSS 71% 5.1 CVSS 7.5
HIGH POC THREAT Act Now

SQL injection vulnerability in the LinkViewFetchServlet servlet in ManageEngine Desktop Central (DC) and Desktop Central Managed Service Providers (MSP) edition before 9 build 90043, Password Manager. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 71.2%.

Zoho SQLi It360 +2
NVD Exploit-DB
EPSS 70% 5.1 CVSS 7.5
HIGH POC THREAT Act Now

Multiple SQL injection vulnerabilities in ZOHO ManageEngine OpManager 11.3 and 11.4, IT360 10.3 and 10.4, and Social IT Plus 11.0 allow remote attackers or remote authenticated users to execute. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 69.7%.

Zoho SQLi Manageengine Social It Plus +2
NVD Exploit-DB
EPSS 62% CVSS 7.5
HIGH PATCH Act Now

SQL injection vulnerability in the com.manageengine.opmanager.servlet.UpdateProbeUpgradeStatus servlet in ZOHO ManageEngine OpManager 11.3 and 11.4, IT360 10.3 and 10.4, and Social IT Plus 11.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 62.1%.

Zoho SQLi Manageengine Opmanager +2
NVD
EPSS 36% CVSS 6.4
MEDIUM POC PATCH THREAT This Month

Directory traversal vulnerability in the multipartRequest servlet in ZOHO ManageEngine OpManager 11.3 and earlier, Social IT Plus 11.0, and IT360 10.3, 10.4, and earlier allows remote attackers or. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 36.5%.

Path Traversal Zoho Manageengine Opmanager +2
NVD Exploit-DB
EPSS 12% CVSS 7.5
HIGH POC PATCH THREAT Act Now

Directory traversal vulnerability in the FileCollector servlet in ZOHO ManageEngine OpManager 11.4, 11.3, and earlier allows remote attackers to write and execute arbitrary files via a .. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 11.6%.

Path Traversal Zoho Manageengine Opmanager
NVD Exploit-DB
EPSS 87% 5.1 CVSS 5.0
MEDIUM POC PATCH THREAT This Month

Directory traversal vulnerability in the com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector servlet in ZOHO ManageEngine OpManager 8.8 through 11.3, Social IT Plus 11.0, and IT360. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 86.6%.

Path Traversal Zoho Manageengine Social It Plus +2
NVD Exploit-DB
EPSS 66% 4.5 CVSS 5.0
MEDIUM POC THREAT This Month

Directory traversal vulnerability in the DisplayChartPDF servlet in ZOHO ManageEngine Netflow Analyzer 8.6 through 10.2 and IT360 10.3 allows remote attackers and remote authenticated users to read. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 65.7%.

Path Traversal Zoho Manageengine It360 +1
NVD Exploit-DB
EPSS 91% 5.2 CVSS 5.0
MEDIUM POC THREAT This Month

Multiple absolute path traversal vulnerabilities in ZOHO ManageEngine Netflow Analyzer 8.6 through 10.2 and IT360 10.3 allow remote attackers or remote authenticated users to read arbitrary files via. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 91.0%.

Path Traversal Zoho Manageengine It360 +1
NVD GitHub Exploit-DB
EPSS 0% CVSS 7.8
HIGH This Week

The ConfigSaveServlet servlet in ManageEngine OpUtils before build 71024 allows remote attackers to "disclose" files via a crafted filename, related to "saveFile.". Rated high severity (CVSS 7.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Zoho Information Disclosure Oputils
NVD
EPSS 75% 5.0 CVSS 6.5
MEDIUM POC THREAT This Month

Multiple SQL injection vulnerabilities in ManageEngine Password Manager Pro (PMP) and Password Manager Pro Managed Service Providers (MSP) edition before 7.1 build 7105 allow remote authenticated. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 74.9%.

Zoho SQLi Password Manager Pro
NVD Exploit-DB
EPSS 5% CVSS 6.5
MEDIUM POC This Month

SQL injection vulnerability in BulkEditSearchResult.cc in ManageEngine Password Manager Pro (PMP) and Password Manager Pro Managed Service Providers (MSP) edition before 7.1 build 7105 allows remote. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Zoho SQLi Manageengine Password Manager Pro
NVD Exploit-DB
EPSS 82% 5.5 CVSS 7.5
HIGH POC THREAT Act Now

Directory traversal vulnerability in the agentUpload servlet in ZOHO ManageEngine EventLog Analyzer 9.0 build 9002 and 8.2 build 8020 allows remote attackers to execute arbitrary code by uploading a. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 81.7%.

Path Traversal RCE Zoho +1
NVD Exploit-DB GitHub
EPSS 56% 4.7 CVSS 7.5
HIGH POC THREAT Act Now

Directory traversal vulnerability in ZOHO ManageEngine Desktop Central (DC) before 9 build 90055 allows remote attackers to execute arbitrary code via a .. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 55.9%.

Path Traversal RCE Zoho +1
NVD Exploit-DB
EPSS 86% 5.6 CVSS 7.5
HIGH POC THREAT Act Now

Directory traversal vulnerability in ZOHO ManageEngine Desktop Central (DC) before 9 build 90055 allows remote attackers to execute arbitrary code via a .. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 85.8%.

Path Traversal RCE Zoho +1
NVD Exploit-DB
EPSS 0% CVSS 5.4
MEDIUM This Month

The Zoho Books - Accounting App (aka com.zoho.books) application 3.1.9 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and. Rated medium severity (CVSS 5.4). No vendor patch available.

Zoho Google Information Disclosure +1
NVD
EPSS 5% CVSS 6.5
MEDIUM POC This Month

ZOHO ManageEngine EventLog Analyzer 9.0 build 9002 and 8.2 build 8020 does not properly restrict access to the database browser, which allows remote authenticated users to obtain access to the. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Zoho Privilege Escalation Manageengine Eventlog Analyzer
NVD Exploit-DB
Prev Page 5 of 6 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy