Zohocorp: Security Vulnerabilities
An issue was discovered in the endpoint protection agent in Zoho ManageEngine Device Control Plus 10.1.2228.15. Despite configuring complete restrictions on USB pendrives, USB HDD devices, memory cards, USB connections to mobile devices, etc., it is still possible to bypass the USB restrictions by making use of a virtual machine (VM). This allows a file to be exchanged outside the laptop/system. VMs can be created by any user (even without admin rights). The data exfiltration can occur without any record in the audit trail of Windows events on the host machine. NOTE: the vendor's position is "it's not a vulnerability in our product."
CVSS Score
7.1
EPSS Score
0.0
Published
2022-12-20
An issue was discovered in the endpoint protection agent in Zoho ManageEngine Device Control Plus 10.1.2228.15. Despite configuring complete restrictions on USB pendrives, USB HDD devices, memory cards, USB connections to mobile devices, etc., it is still possible to bypass the USB restrictions by booting into Safe Mode. This allows a file to be exchanged outside the laptop/system. Safe Mode can be launched by any user (even without admin rights). Data exfiltration can occur, and also malware might be introduced onto the system. NOTE: the vendor's position is "it's not a vulnerability in our product."
CVSS Score
7.1
EPSS Score
0.0
Published
2022-12-20
Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulnerable to an XML External Entity attack that leads to Information Disclosure.
CVSS Score
4.9
EPSS Score
0.001
Published
2022-11-23
Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulnerable to a validation bypass that allows users to access sensitive data via the report module.
CVSS Score
6.5
EPSS Score
0.001
Published
2022-11-23
Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulnerable to authenticated command injection. This can be exploited by high-privileged users.
CVSS Score
7.2
EPSS Score
0.801
Published
2022-11-23
Zoho ManageEngine ADManager Plus through 7151 allows authenticated admin users to execute the commands in proxy settings.
CVSS Score
7.2
EPSS Score
0.134
Published
2022-11-18
Zoho ManageEngine SupportCenter Plus through 11024 allows low-privileged users to view the organization users list.
CVSS Score
3.3
EPSS Score
0.0
Published
2022-11-17
Zoho ManageEngine Password Manager Pro before 12122, PAM360 before 5711, and Access Manager Plus before 4306 allow SQL Injection.
CVSS Score
9.8
EPSS Score
0.654
Published
2022-11-12
Zoho ManageEngine Password Manager Pro before 12122, PAM360 before 5711, and Access Manager Plus before 4306 allow SQL Injection (in a different software component relative to CVE-2022-43671.
CVSS Score
9.8
EPSS Score
0.654
Published
2022-11-12
Zoho ManageEngine ServiceDesk Plus MSP before 10609 and SupportCenter Plus before 11025 are vulnerable to privilege escalation. This allows users to obtain sensitive data during an exportMickeyList export of requests from the list view.
CVSS Score
8.8
EPSS Score
0.004
Published
2022-11-12