Zohocorp: Security Vulnerabilities
ManageEngine AppManager15 (Build No:15510) allows an authenticated admin user to upload a DLL file to perform a DLL hijack attack inside the 'working' folder through the 'Upload Files / Binaries' functionality.
CVSS Score
7.2
EPSS Score
0.274
Published
2022-05-24
Zoho ManageEngine ADSelfService Plus before 6202 allows attackers to perform username enumeration via a crafted POST request to /ServletAPI/accounts/login.
CVSS Score
5.3
EPSS Score
0.112
Published
2022-05-20
Zoho ManageEngine OPManager through 125588 allows SQL Injection via a few default reports.
CVSS Score
9.8
EPSS Score
0.222
Published
2022-05-05
Zoho ManageEngine Access Manager Plus before 4302, Password Manager Pro before 12007, and PAM360 before 5401 are vulnerable to access-control bypass on a few Rest API URLs (for SSOutAction. SSLAction. LicenseMgr. GetProductDetails. GetDashboard. FetchEvents. and Synchronize) via the ../RestAPI substring.
CVSS Score
9.8
EPSS Score
0.88
Published
2022-04-28
Zoho ManageEngine ADSelfService Plus before 6121, ADAuditPlus 7060, Exchange Reporter Plus 5701, and ADManagerPlus 7131 allow NTLM Hash disclosure during certain storage-path configuration steps.
CVSS Score
8.8
EPSS Score
0.083
Published
2022-04-18
Zoho ManageEngine OpManager before 125588 (and before 125603) is vulnerable to authenticated SQL Injection in the Inventory Reports module.
CVSS Score
8.8
EPSS Score
0.046
Published
2022-04-18
CVE-2022-28810
Zoho ManageEngine ADSelfService Plus before build 6122 allows a remote authenticated administrator to execute arbitrary operating OS commands as SYSTEM via the policy custom script feature. Due to the use of a default administrator password, attackers may be able to abuse this functionality with minimal effort. Additionally, a remote and partially authenticated attacker may be able to inject arbitrary commands into the custom script due to an unsanitized password field.
Known exploited
CVSS Score
6.8
EPSS Score
0.918
Published
2022-04-18
Zoho ManageEngine Remote Access Plus before 10.1.2137.15 allows guest users to view domain details (such as the username and GUID of an administrator).
CVSS Score
5.3
EPSS Score
0.015
Published
2022-04-16
Zoho ManageEngine Remote Access Plus before 10.1.2137.15 allows guest users to view license details.
CVSS Score
5.3
EPSS Score
0.015
Published
2022-04-16
Zoho ManageEngine ADSelfService Plus before 6121 allows XSS via the welcome name attribute to the Reset Password, Unlock Account, or User Must Change Password screen.
CVSS Score
6.1
EPSS Score
0.234
Published
2022-04-07