Zohocorp: Security Vulnerabilities
Cross Site Scripting (XSS) vulnerability in Query Report feature in Zoho ManageEngine Password Manager Pro version 11001, allows remote attackers to execute arbitrary code and steal cookies via crafted JavaScript payload.
CVSS Score
6.1
EPSS Score
0.018
Published
2023-08-11
Zoho ManageEngine Applications Manager through 16530 allows reflected XSS while logged in.
CVSS Score
6.1
EPSS Score
0.06
Published
2023-08-10
The event analysis component in Zoho ManageEngine ADAudit Plus 7.1.1 allows an attacker to bypass audit detection by creating or renaming user accounts with a "$" symbol suffix. NOTE: the vendor states "We do not consider this as a security bug and it's an expected behaviour."
CVSS Score
7.5
EPSS Score
0.001
Published
2023-08-07
Zoho ManageEngine ADManager Plus through 7201 allow authenticated users to take over another user's account via sensitive information disclosure.
CVSS Score
6.5
EPSS Score
0.015
Published
2023-08-04
An issue was discovered in Zoho ManageEngine Network Configuration Manager 12.6.165. The WebSocket endpoint allows Cross-site WebSocket hijacking.
CVSS Score
4.3
EPSS Score
0.004
Published
2023-08-04
Zoho ManageEngine Support Center Plus 14001 and below is vulnerable to stored XSS in the products module.
CVSS Score
5.4
EPSS Score
0.03
Published
2023-07-28
Zoho ManageEngine ServiceDesk Plus before 14202, ServiceDesk Plus MSP before 14300, and SupportCenter Plus before 14300 have a privilege escalation vulnerability in the Release module that allows unprivileged users to access the Reminders of a release ticket and make modifications.
CVSS Score
5.4
EPSS Score
0.001
Published
2023-07-07
Zoho ManageEngine ADAudit Plus before 7100 allows XSS via the username field.
CVSS Score
5.4
EPSS Score
0.015
Published
2023-07-07
Zoho ManageEngine ADManager Plus before 7183 allows admin users to exploit an XXE issue to view files.
CVSS Score
4.9
EPSS Score
0.005
Published
2023-07-05
Zoho ManageEngine ADSelfService Plus through 6113 has an authentication bypass that can be exploited to steal the domain controller session token for identity spoofing, thereby achieving the privileges of the domain controller administrator. NOTE: the vendor's perspective is that they have "found no evidence or detail of a security vulnerability."
CVSS Score
9.8
EPSS Score
0.031
Published
2023-06-20