Zohocorp: Security Vulnerabilities
Zoho ManageEngine ADManager Plus before 7181 allows for authenticated users to exploit command injection via Proxy settings.
CVSS Score
7.2
EPSS Score
0.938
Published
2023-04-13
Zoho ManageEngine Applications Manager through 16320 allows the admin user to conduct an XXE attack.
CVSS Score
6.5
EPSS Score
0.006
Published
2023-04-11
Stored Cross site scripting (XSS) vulnerability in Zoho ManageEngine Applications Manager through 16340 allows an unauthenticated user to inject malicious javascript on the incorrect login details page.
CVSS Score
6.1
EPSS Score
0.864
Published
2023-04-11
Zoho ManageEngine ADSelfService Plus before 6218 allows anyone to conduct a Denial-of-Service attack via the Mobile App Authentication API.
CVSS Score
7.5
EPSS Score
0.854
Published
2023-04-05
A blind XML External Entity (XXE) vulnerability exists in the Add UCS Device functionality of ManageEngine OpManager 12.6.168. A specially crafted XML file can lead to SSRF. An attacker can serve
a malicious XML payload to trigger this vulnerability.
CVSS Score
5.8
EPSS Score
0.024
Published
2023-03-30
Zoho ManageEngine ADSelfService Plus through 6203 is vulnerable to a brute-force attack that leads to a password reset on IDM applications.
CVSS Score
9.1
EPSS Score
0.009
Published
2023-03-23
Zoho ManageEngine ServiceDesk Plus through 14104, Asset Explorer through 6987, ServiceDesk Plus MSP before 14000, and Support Center Plus before 14000 allow Denial-of-Service (DoS).
CVSS Score
7.5
EPSS Score
0.06
Published
2023-03-06
ManageEngine ServiceDesk Plus through 14104, ServiceDesk Plus MSP through 14000, Support Center Plus through 14000, and Asset Explorer through 6987 allow privilege escalation via query reports.
CVSS Score
6.5
EPSS Score
0.001
Published
2023-03-06
Zoho ManageEngine Desktop Central and Desktop Central MSP before 10.1.2137.2 allow directory traversal via computerName to AgentLogUploadServlet. A remote, authenticated attacker could upload arbitrary code that would be executed when Desktop Central is restarted. (The attacker could authenticate by exploiting CVE-2021-44515.)
CVSS Score
8.8
EPSS Score
0.013
Published
2023-02-25
The Zoho Forms WordPress plugin before 3.0.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
CVSS Score
5.4
EPSS Score
0.004
Published
2023-02-13