Zohocorp: Security Vulnerabilities
Zoho ManageEngine CloudSecurityPlus before Build 4117 allows remote code execution through the updatePersonalizeSettings component due to an improper security patch for CVE-2021-40175.
CVSS Score
8.8
EPSS Score
0.078
Published
2022-01-12
Zoho ManageEngine O365 Manager Plus before Build 4416 allows remote code execution via BCP file overwrite through the ChangeDBAPI component.
CVSS Score
7.8
EPSS Score
0.011
Published
2022-01-12
Zoho ManageEngine M365 Manager Plus before Build 4419 allows remote command execution when updating proxy settings through the Admin ProxySettings and Tenant ProxySettings components.
CVSS Score
7.2
EPSS Score
0.046
Published
2022-01-12
A vulnerability in the showReports module of Zoho ManageEngine Applications Manager before build 14550 allows authenticated attackers to execute a SQL injection via a crafted request.
CVSS Score
8.8
EPSS Score
0.047
Published
2022-01-10
Zoho ManageEngine Desktop Central before 10.0.662, during startup, launches an executable file from the batch files, but this file's path might not be properly defined.
CVSS Score
7.8
EPSS Score
0.001
Published
2022-01-10
Zoho ManageEngine Desktop Central before 10.0.662 allows authenticated users to obtain sensitive information from the database by visiting the Reports page.
CVSS Score
6.5
EPSS Score
0.003
Published
2022-01-10
Zoho ManageEngine Desktop Central before 10.0.662 allows remote code execution by an authenticated user who has complete access to the Reports module.
CVSS Score
8.8
EPSS Score
0.098
Published
2022-01-10
ManageEngine ADSelfService Plus below build 6116 contains an observable response discrepancy in the UMCP operation of the ChangePasswordAPI. This allows an unauthenticated remote attacker to determine whether a Windows domain user exists.
CVSS Score
5.3
EPSS Score
0.18
Published
2022-01-03
ManageEngine ADSelfService Plus below build 6116 stores the password policy file for each domain under the html/ web root with a predictable filename based on the domain name. When ADSSP is configured with multiple Windows domains, a user from one domain can obtain the password policy for another domain by authenticating to the service and then sending a request specifying the password policy file of the other domain.
CVSS Score
4.3
EPSS Score
0.003
Published
2022-01-03
Zoho ManageEngine ServiceDesk Plus before 12003 allows authentication bypass in certain admin configurations.
CVSS Score
9.8
EPSS Score
0.055
Published
2021-12-23